Hello,
OpenSSH derived with FreeBSD 4.4 (and earlier) doesn't drop privileges
before messing with login class capability database. The most problematic
is:
if (newcommand == NULL && !quiet_login && !options.use_login) {
fname = login_getcapstr(lc, "copyright", NULL, NULL);
if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
while (fgets(buf, sizeof(buf), f) != NULL)
fputs(buf, stdout);
fclose(f);
and
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
[...]
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
fclose(f);
in session.c, which allows to read ANY file in system with superuser
privileges, by defining:
default:\
:copyright=/etc/master.passwd:
or
:welcome=/etc/master.passwd:
in user's ~/.login_conf.
login(1), which is suid and spawned by telnetd also is vulnerable to similar
attack:
if (!rootlogin)
auth_checknologin(lc);
[...]
(void)setegid(pwd->pw_gid);
(void)seteuid(rootlogin ? 0 : pwd->pw_uid);
Checking for nologin is performed with superuser privileges.
auth_checklogin() is libutil function which displays nologin file, as
defined in login capability database. User can read ANY file in system by
defining:
default:\
:nologin=/etc/master.passwd:
FreeBSD core team has been aleady informed and official patches were
incorporated into CVS repository *before* 4.4-RELEASE, although 4.4-RC and
earlier verions are vulnerable and needs to be patched with:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libutil/login_cap.c
?rev=1.17.2.3&content-type=text/plain
Official advisory is pending. It's possible, that other *BSD systems,
supporting login capability database are also vulnerable.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
