It appears that there may be a privilege escalation vulnerability in OpenSSH under Debian due to how SELinux hands out roles.
227a31a0b1018513db637838fb8a6b39/* Debian (maybe other derivates |KUDUBUTUNTU|) OpenSSH Remote -=Authenticated=- SELinux Privilege Elevation
*** Fedora/RHEL Linux should be tested because it _MAY_ contain the same vulnerability
*** in it's OpenSSH patches in a time slice. Latest OpenSSH should not be vulnerable. Older Debian Releases may.
**** One vulnerable example is "openssh-SNAP-20070303.tar.gz", currently reachable at
**** ftp://ftp.bit.nl/mirror/openssh/openssh-SNAP-20070303.tar.gz
****
*** See the "Diff Patch" by Debian:
*** + authctxt->role = role ? xstrdup(role) : NULL;
**** Where the role is defined in the username after a forward slash '/'
**** So anyone can set arbritrary SELinux roles, when OpenSSH is configured with --with-selinux -
**** What is a common configuration nowadays.
**** For the kids:
***** ssh -lusername:[style]/<arbritrary SELinux role> host
***** ssh -p2222 -lusername:/wishedrole 127.0.0.1
**** ':' means [style] -> [[not relevant]] '/'<arbritrary SELinux role> is the specified SELinux role.
****
**** This seams to be a bug jailed in some distros because of legacy code.
****
**** 'Exploit' found and delivered by Kingcope.
***//Želiteb0yŽ//
**** CHEERIO ****/
REM blablablaIHAVEPRETTYIDEAHOWSELINUXRUNSWORKSORWHATEVERblablabla
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!