what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rssh230.txt

rssh230.txt
Posted Dec 31, 2005
Authored by Derek Martin | Site pizzashack.org

Max Vozeler reported a flaw in the design of rssh_chroot_helper whereby it can be exploited to chroot to arbitrary directories and thereby gain root access. If rssh is installed on a system, and non-trusted users on that system have access which is not protected by rssh (i.e. they have full shell access), then they can use rssh_chroot_helper to chroot to arbitrary locations in the file system, and thereby gain root access. Versions of rssh below 2.3.0 are affected.

tags | advisory, arbitrary, shell, root
SHA-256 | e0400de36fd827a4ed316391ce7f793e1db1e6ed15f917f0dbbe692281d94f10

rssh230.txt

Change Mirror Download
Affected Software:  rssh - all versions prior to 2.3.0
Vulnerability: local user privilege escalation
Severity: *CRITICAL*
Impact: local users can gain root access
Solution: Please upgrade to v2.3.1

Summary
-------

rssh is a restricted shell which allows a system administrator to
limit users' access to a system via SSH to scp, sftp, rsync, rdist,
and cvs. It also allows the system administrator the ability to
chroot users to a configurable location.

* PLEASE NOTE *
This problem was fixed in 2.3.0, but there is another small bug (not
security-related) in that version which prompted me to release 2.3.1
today. I will announce that separately in appropriate channels.
Please upgrade to the 2.3.1 release, not the 2.3.0 release.

Max Vozeler reported a flaw in the design of rssh_chroot_helper
whereby it can be exploited to chroot to arbitrary directories and
thereby gain root access. If rssh is installed on a system, and
non-trusted users on that system have access which is not protected by
rssh (i.e. they have full shell access), then they can use
rssh_chroot_helper to chroot to arbitrary locations in the file system,
and thereby gain root access.

Workaround
----------

By careful configuration of file system mounts, it is possible to
avoid this problem; but doing so requires a fair amount of contortion
which will be difficult to re-engineer after an existing installation
has already been configured. The exploit requires the user to be able
to write executables in the directory they are chrooting to, and
create hard links to SUID binaries within that directory structure, so
by preventing either of these two things, the exploit will be foiled.
System administrators can accomplish this by careful configuration of
filesystem permissions, mount points, and mount options (such as
no_exec, no_suid, etc.). I will not go into details since the far
better solution is to upgrade.

Fix
---

The 2.3.0 release of rssh fixes this problem by forcing the chroot
helper program to re-parse the config file instead of allowing the
chroot home to be specified on the command line. Thus users not
listed can not use it to chroot (or will chroot to the default
location specified by the sysadmin), and users who are listed will be
chrooted to the directories where they are supposed to go only.

This version also fixes an unrelated bug which causes
rssh_chroot_helper to crash on the ia64 architecture (and possibly
others). Numerous people reported a problem with the way
va_start/va_end was used in log.c, which causes a segfault on 64-bit
Linux platforms. It is believed that this bug is not exploitable,
since no code in this module is ever executed with root privileges.
However this is also fixed in this release.

Thanks


--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close