OpenSSH X11 Cookie本地绕过认证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189183 漏洞类型 输入验证
发布时间 2007-09-04 更新时间 2008-10-14
CVE编号 CVE-2007-4752 CNNVD-ID CNNVD-200709-122
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/25628
https://cxsecurity.com/issue/WLB-2007090037
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-122
|漏洞详情
OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。OpenSSHX11在处理Cookie时存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。如果无法生成不可信任的Cookie的话,OpenSSH中的ssh就会使用可信任的X11Cookie,这可能将X客户端处理为可信任,允许本地攻击者破坏预期的策略获得权限提升。
|漏洞EXP
OpenSSH 4.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
        http://www.openbsd.org/tshirts.html and
        http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.6:
============================

Security bugs resolved in this release:

 * Prevent ssh(1) from using a trusted X11 cookie if creation of an
   untrusted cookie fails; found and fixed by Jan Pechanec.

Other changes, new functionality and fixes in this release:

 * sshd(8) in new installations defaults to SSH Protocol 2 only.
   Existing installations are unchanged.

 * The SSH channel window size has been increased, and both ssh(1)
   sshd(8) now send window updates more aggressively. These improves
   performance on high-BDP (Bandwidth Delay Product) networks.

 * ssh(1) and sshd(8) now preserve MAC contexts between packets, which
   saves 2 hash calls per packet and results in 12-16% speedup for
   arcfour256/hmac-md5.

 * A new MAC algorithm has been added, UMAC-64 (RFC4418) as
   "umac-64@openssh.com". UMAC-64 has been measured to be 
   approximately 20% faster than HMAC-MD5.

 * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes

 * Failure to establish a ssh(1) TunnelForward is now treated as a
   fatal error when the ExitOnForwardFailure option is set.

 * ssh(1) returns a sensible exit status if the control master goes
   away without passing the full exit status. (bz #1261)

 * The following bugs have been fixed in this release:

   - When using a ProxyCommand in ssh(1), set the outgoing hostname with
     gethostname(2), allowing hostbased authentication to work (bz #616)
   - Make scp(1) skip FIFOs rather than hanging (bz #856)
   - Encode non-printing characters in scp(1) filenames.
     these could cause copies to be aborted with a "protocol error"
     (bz #891)
   - Handle SIGINT in sshd(8) privilege separation child process to
     ensure that wtmp and lastlog records are correctly updated
     (bz #1196)
   - Report GSSAPI mechanism in errors, for libraries that support
     multiple mechanisms (bz #1220)
   - Improve documentation for ssh-add(1)'s -d option (bz #1224)
   - Rearrange and tidy GSSAPI code, removing server-only code being
     linked into the client. (bz #1225)
   - Delay execution of ssh(1)'s LocalCommand until after all forwadings
     have been established. (bz #1232)
   - In scp(1), do not truncate non-regular files (bz #1236)
   - Improve exit message from ControlMaster clients. (bz #1262)
   - Prevent sftp-server(8) from reading until it runs out of buffer
     space, whereupon it would exit with a fatal error. (bz #1286)

 * Portable OpenSSH bugs fixed:

   - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243)
   - Implement getpeereid for Solaris using getpeerucred. Solaris
     systems will now refuse ssh-agent(1) and ssh(1) ControlMaster
     clients from different, non-root users (bz #1287)
   - Fix compilation warnings by including string.h if found. (bz #1294)
   - Remove redefinition of _res in getrrsetbyname.c for platforms that
     already define it. (bz #1299)
   - Fix spurious "chan_read_failed for istate 3" errors from sshd(8),
     a side-effect of the "hang on exit" fix introduced in 4.6p1.
     (bz #1306)
   - pam_end() was not being called if authentication failed (bz #1322)
   - Fix SELinux support when SELinux is in permissive mode. Previously
     sshd(8) was treating SELinux errors as always fatal. (bz #1325)
   - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before
     pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys.
     (bz #1339)
   - Fix privilege separation on QNX - pre-auth only, this platform does
     not support file descriptior passing needed for post-auth privilege
     separation. (bz #1343)

Thanks to everyone who has contributed patches, reported bugs and
tested releases.

Checksums:
==========

- SHA1 (openssh-4.7.tar.gz) = 9ebaab9b31e01bd0d04425dc23536bcc78f8d990
- SHA1 (openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

----- More ---- About issue ------
https://issues.rpath.com/browse/RPL-1706
http://www.openssh.com/txt/release-4.7
---------------------------------------
|受影响的产品
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu
|参考资料

来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1706
来源:REDHAT
名称:RHSA-2008:0855
链接:http://www.redhat.com/support/errata/RHSA-2008-0855.html
来源:www.openssh.com
链接:http://www.openssh.com/txt/release-4.7
来源:VUPEN
名称:ADV-2008-2821
链接:http://www.frsirt.com/english/advisories/2008/2821
来源:support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2008-399.htm
来源:SECUNIA
名称:32241
链接:http://secunia.com/advisories/32241
来源:SECUNIA
名称:31575
链接:http://secunia.com/advisories/31575
来源:OVAL
名称:oval:org.mitre.oval:def:5599
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5599
来源:FEDORA
名称:FEDORA-2007-715
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00214.html
来源:MISC
链接:https://bugzilla.redhat.com/show_bug.cgi?id=280471
来源:XF
名称:openssh-x11cookie-privilege-escalation(36637)
链接:http://xforce.iss.net/xforce/xfdb/36637
来源:UBUNTU
名称:USN-566-1
链接:http://www.ubuntu.com/usn/usn-566-1
来源:BID
名称:25628
链接:http://www.securityfocus.co