1. Systems affected:
Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
Please note that the IBM-supplied OpenSSH packages[1] are
not vulnerable.
2. Description:
The default behavior of the runtime linker on AIX is to search
the current directory for dynamic libraries before searching
system paths. This is done regardless of the executable's
set[ug]id status.
This behavior is insecure and extremely dangerous. It allows an
attacker to locally escalate their privilege level through the
use of replacement libraries.
Portable OpenSSH includes configure logic to override this
broken behavior, but only for the native compiler. gcc uses a
different command-line option (without changing the dangerous
default behavior).
3. Impact:
Privilege escalation by local users.
4. Short-term workaround:
Remove any set[ug]id bits from the installed binaries,
usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH
may also install the 'ssh' binary as setuid.
Please note that removing the setuid bit from ssh-keysign will
disable hostbased authentication.
Portable OpenSSH 3.6.1p2 uses the correct compiler flags to
avoid the dangerous linker behavior.
5. Solution:
For the problem to be solved, the AIX linker must be changed to
only search system paths by default and never search the current
directory or user-specified paths for set[ug]id programs.
We consider this a serious flaw in IBM's linker, and urge
them to fix it immediately. IBM, are you listening?
6. Credits:
Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
issue to our attention. Darren Tucker <dtucker@zip.com.au>
contributed the fix.
[1] http://oss.software.ibm.com/developerworks/projects/opensshi
Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
Please note that the IBM-supplied OpenSSH packages[1] are
not vulnerable.
2. Description:
The default behavior of the runtime linker on AIX is to search
the current directory for dynamic libraries before searching
system paths. This is done regardless of the executable's
set[ug]id status.
This behavior is insecure and extremely dangerous. It allows an
attacker to locally escalate their privilege level through the
use of replacement libraries.
Portable OpenSSH includes configure logic to override this
broken behavior, but only for the native compiler. gcc uses a
different command-line option (without changing the dangerous
default behavior).
3. Impact:
Privilege escalation by local users.
4. Short-term workaround:
Remove any set[ug]id bits from the installed binaries,
usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH
may also install the 'ssh' binary as setuid.
Please note that removing the setuid bit from ssh-keysign will
disable hostbased authentication.
Portable OpenSSH 3.6.1p2 uses the correct compiler flags to
avoid the dangerous linker behavior.
5. Solution:
For the problem to be solved, the AIX linker must be changed to
only search system paths by default and never search the current
directory or user-specified paths for set[ug]id programs.
We consider this a serious flaw in IBM's linker, and urge
them to fix it immediately. IBM, are you listening?
6. Credits:
Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
issue to our attention. Darren Tucker <dtucker@zip.com.au>
contributed the fix.
[1] http://oss.software.ibm.com/developerworks/projects/opensshi