OpenSSH UseLogin option arbitrary code execution

openssh-uselogin-execute-code (7647)

High Risk

Description:

OpenSSH could allow a local attacker to execute arbitrary code on the system, caused by a vulnerability in the UseLogin configuration option. If the UseLogin option is enabled, a local attacker can set the LD_PRELOAD or LD_LIBRARY_PATH environment variable to point to a maliciously created shared library file, which would be executed with superuser privileges once the login program is executed.

Consequences:

Gain Privileges

Remedy:

Upgrade to the latest version of OpenSSH (3.0.2 or later), available from the OpenSSH Web site. See References.

For Debian GNU/Linux 2.2 (alias potato):
Upgrade to the latest version of OpenSSH (1.2.3-9.4 or later), as listed in DSA-091-1. See References.

For FreeBSD 4.3-RELEASE:
Upgrade to the latest version of FreeBSD (4.3-RELEASEp21 dated 2001-12-03 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:63. See References.

For FreeBSD 4.4-RELEASE:
Upgrade to the latest version of FreeBSD (4.4-RELEASEp1 dated 2001-12-03 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:63. See References.

For FreeBSD 4.4-STABLE:
Upgrade to the latest version of FreeBSD (4.4-STABLE dated 2001-12-03 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:63. See References.

— OR —

Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:63. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest version of OpenSSH (2.9p2-11.7 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:161-08. See References.

For Red Hat Linux 7.2:
Upgrade to the latest version of OpenSSH (2.9p2-12 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:161-08. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Intel):
Upgrade to the latest version of OpenSSH (2.9.9p2-73 or later), as listed in SuSE Security Announcement SuSE-SA:2001:045. See References.

For SuSE Linux 7.2 and 7.3 (Intel):
Upgrade to the latest version of OpenSSH (2.9.9p2-74 or later), as listed in SuSE Security Announcement SuSE-SA:2001:045. See References.

For SuSE Linux 7.0, 7.1, and 7.3 (Sparc):
Upgrade to the latest version of OpenSSH (2.9.9p2-24 or later), as listed in SuSE Security Announcement SuSE-SA:2001:045. See References.

For SuSE Linux 7.1 (AXP Alpha):
Upgrade to the latest version of OpenSSH (2.9.9p2-26 or later), as listed in SuSE Security Announcement SuSE-SA:2001:045. See References.

For SuSE Linux 6.4 and 7.0 (PPC Power PC):
Upgrade to the latest version of OpenSSH (2.9.9p2-48 or later), as listed in SuSE Security Announcement SuSE-SA:2001:045. See References.

For SuSE Linux 7.1 and 7.3 (PPC Power PC):
Upgrade to the latest version of OpenSSH (2.9.9p2-49 or later), as listed in SuSE Security Announcement SuSE-SA:2001:045. See References.

For Trustix Secure Linux 1.1, 1.2, and 1.5:
Upgrade to the latest version of OpenSSH (3.0.2p1-2tr or later), as listed in Trustix Secure Linux Security Advisory #2001-0030. See References.

For Mandrake Linux 7.1 and Corporate Server 1.0.1:
Upgrade to the latest version of OpenSSH (3.0.2p1-1.4mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:092 : openssh. See References.

For Mandrake Linux 7.2 and Single Network Firewall 7.2:
Upgrade to the latest version of OpenSSH (3.0.2p1-1.3mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:092 : openssh. See References.

For Mandrake Linux 8.0:
Upgrade to the latest version of OpenSSH (3.0.2p1-1.2mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:092 : openssh. See References.

For Mandrake Linux 8.1:
Upgrade to the latest version of OpenSSH (3.0.2p1-1.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2001:092 : openssh. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• Caldera International, Inc. Security Advisory CSSA-2001-042.1: Linux - Local vulnerability in OpenSSH.
• CIAC Information Bulletin M-026: OpenSSH UseLogin Privilege Elevation Vulnerability.
• FreeBSD Security Advisory FreeBSD-SA-01:63: OpenSSH UseLogin directive permits privilege escalation.
• Hewlett-Packard Company Security Bulletin HPSBTL0112-005: Security vulnerability in OpenSSH. (From SecurityFocus archive.)
• OpenSSH Web site: OpenSSH.
• openssh-unix-dev Mailing List, 2001-12-04 12:48:19: OpenSSH 3.0.2 fixes UseLogin vulnerability.
• SuSE Security Announcement SuSE-SA:2001:045: openssh.
• Trustix Secure Linux Security Advisory #2001-0030: OpenSSH.
• Vuln-Dev Mailing List, 2001-12-06 0:34:34: OpenSSH UseLogin proof of concept exploit.
• BID-3614: OpenSSH UseLogin Environment Variable Passing Vulnerability
• CVE-2001-0872: OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges.
• DSA-091: ssh -- influencing login
• MDKSA-2001:092: Updated openssh packages fix local vulnerability with UseLogin
• OSVDB ID: 688: OpenSSH UseLogin Environment Variable Local Command Execution
• RHSA-2001-161: Updated OpenSSH packages available
• US-CERT VU#157447: OpenSSH UseLogin directive permits privilege escalation

Platforms Affected:

• Debian Debian Linux 2.2
• FreeBSD FreeBSD 4.3
• FreeBSD FreeBSD 4.4
• HP Secure OS 1.0
• MandrakeSoft Mandrake Linux 7.1
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Linux 8.0
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft Mandrake Single Network Firewall 7.2
• OpenBSD OpenBSD 2.6
• OpenBSD OpenBSD 2.7
• OpenBSD OpenBSD 2.8
• OpenBSD OpenBSD 2.9
• OpenBSD OpenSSH 1.2
• OpenBSD OpenSSH 1.2.1
• OpenBSD OpenSSH 1.2.2
• OpenBSD OpenSSH 1.2.27
• OpenBSD OpenSSH 1.2.3
• OpenBSD OpenSSH 2.1
• OpenBSD OpenSSH 2.1.1
• OpenBSD OpenSSH 2.1.1p4
• OpenBSD OpenSSH 2.2
• OpenBSD OpenSSH 2.2.0p1
• OpenBSD OpenSSH 2.3
• OpenBSD OpenSSH 2.3.0p1
• OpenBSD OpenSSH 2.5
• OpenBSD OpenSSH 2.5.1
• OpenBSD OpenSSH 2.5.1p1
• OpenBSD OpenSSH 2.5.1p2
• OpenBSD OpenSSH 2.5.2
• OpenBSD OpenSSH 2.5.2p1
• OpenBSD OpenSSH 2.5.2p2
• OpenBSD OpenSSH 2.9
• OpenBSD OpenSSH 2.9.9
• OpenBSD OpenSSH 2.9.9p1
• OpenBSD OpenSSH 2.9.9p2
• OpenBSD OpenSSH 2.9p1
• OpenBSD OpenSSH 2.9p2
• OpenBSD OpenSSH 3.0
• OpenBSD OpenSSH 3.0.1
• OpenBSD OpenSSH 3.0.1p1
• OpenBSD OpenSSH 3.0p1
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.2
• RedHat Linux 7.3
• SCO Caldera OpenLinux eBuilder
• SCO Caldera OpenLinux eDesktop 2.4
• SCO Caldera OpenLinux eServer 2.3.1
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Workstation 3.1
• SUSE SuSE Linux 6.4
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• Trustix Secure Linux 1.01
• Trustix Secure Linux 1.1
• Trustix Secure Linux 1.2
• Trustix Secure Linux 1.5

Reported:

Dec 04, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page