1. Systems affected: Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Please note that the IBM-supplied OpenSSH packages[1] are not vulnerable. 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior). 3. Impact: Privilege escalation by local users. 4. Short-term workaround: Remove any set[ug]id bits from the installed binaries, usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH may also install the 'ssh' binary as setuid. Please note that removing the setuid bit from ssh-keysign will disable hostbased authentication. Portable OpenSSH 3.6.1p2 uses the correct compiler flags to avoid the dangerous linker behavior. 5. Solution: For the problem to be solved, the AIX linker must be changed to only search system paths by default and never search the current directory or user-specified paths for set[ug]id programs. We consider this a serious flaw in IBM's linker, and urge them to fix it immediately. IBM, are you listening? 6. Credits: Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the issue to our attention. Darren Tucker <dtucker@zip.com.au> contributed the fix. [1] http://oss.software.ibm.com/developerworks/projects/opensshi
