[openssh-unix-announce] Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)

Damien Miller djm at mindrot.org
Wed Apr 30 13:39:49 EST 2003

1. Systems affected:

	Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected 
	if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).

	Please note that the IBM-supplied OpenSSH packages[1] are 
	not vulnerable.

2. Description:

	The default behavior of the runtime linker on AIX is to search 
	the current directory for dynamic libraries before searching 
	system paths. This is done regardless of the executable's 
	set[ug]id status.

	This behavior is insecure and extremely dangerous. It allows an 
	attacker to locally escalate their privilege level through the 
	use of replacement libraries.

	Portable OpenSSH includes configure logic to override this 
	broken behavior, but only for the native compiler. gcc uses a
	different command-line option (without changing the dangerous 
	default behavior).

3. Impact:

	Privilege escalation by local users.

4. Short-term workaround:

	Remove any set[ug]id bits from the installed binaries,
	usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH 
	may also install the 'ssh' binary as setuid.

	Please note that removing the setuid bit from ssh-keysign will 
	disable hostbased authentication. 

	Portable OpenSSH 3.6.1p2 uses the correct compiler flags to 
	avoid the dangerous linker behavior.

5. Solution:

	For the problem to be solved, the AIX linker must be changed to 
	only search system paths by default and never search the current 
	directory or user-specified paths for set[ug]id programs.

	We consider this a serious flaw in IBM's linker, and urge
	them to fix it immediately.  IBM, are you listening?

6. Credits:

	Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the
	issue to our attention. Darren Tucker <dtucker at zip.com.au>
	contributed the fix.

[1] http://oss.software.ibm.com/developerworks/projects/opensshi

More information about the openssh-unix-announce mailing list