Vulnerability Bulletins |
Aumento de privilegios en OpenSSH scp |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Aumento de privilegios |
| Dificulty | Experto |
| Required attacker level | Acceso remoto con cuenta |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software | OpenSSH <= 4.2p1 |
Description |
|
|
Se ha descubierto una vulnerabilidad en OpenSSH versión 4.2p1 y anteriores. La vulnerabilidad reside en el comando scp el cual al hacer copias locales de ficheros no valida correctamente los nombres antes de usarlos en la llamada a system(). Un atacante local podría ejecutar código con los privilegios del usuario que ejecute scp mediante un nombre de fichero que contenga espacios o metacaracteres de línea de comandos. |
|
Solution |
|
|
Actualización de software Mandriva Mandrakelinux 10.1 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-4.3p1-0.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-askpass-4.3p1-0.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-askpass-gnome-4.3p1-0.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-clients-4.3p1-0.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-server-4.3p1-0.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/openssh-4.3p1-0.1.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-4.3p1-0.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-askpass-4.3p1-0.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-askpass-gnome-4.3p1-0.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-clients-4.3p1-0.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-server-4.3p1-0.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/openssh-4.3p1-0.1.101mdk.src.rpm Corporate Server 3.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-4.3p1-0.1.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-askpass-4.3p1-0.1.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-clients-4.3p1-0.1.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-server-4.3p1-0.1.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/openssh-4.3p1-0.1.C30mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-4.3p1-0.1.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-askpass-4.3p1-0.1.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-clients-4.3p1-0.1.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-server-4.3p1-0.1.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/openssh-4.3p1-0.1.C30mdk.src.rpm Multi Network Firewall 2.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-4.3p1-0.1.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-askpass-4.3p1-0.1.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-clients-4.3p1-0.1.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-server-4.3p1-0.1.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/SRPMS/openssh-4.3p1-0.1.M20mdk.src.rpm Mandrivalinux LE2005 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-4.3p1-0.1.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-askpass-4.3p1-0.1.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-askpass-gnome-4.3p1-0.1.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-clients-4.3p1-0.1.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-server-4.3p1-0.1.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/SRPMS/openssh-4.3p1-0.1.102mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-4.3p1-0.1.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-askpass-4.3p1-0.1.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-askpass-gnome-4.3p1-0.1.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-clients-4.3p1-0.1.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-server-4.3p1-0.1.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/SRPMS/openssh-4.3p1-0.1.102mdk.src.rpm Mandrivalinux 2006 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-4.3p1-0.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-askpass-4.3p1-0.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-clients-4.3p1-0.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-server-4.3p1-0.1.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/openssh-4.3p1-0.1.20060mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-4.3p1-0.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-askpass-4.3p1-0.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-clients-4.3p1-0.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-server-4.3p1-0.1.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/openssh-4.3p1-0.1.20060mdk.src.rpm OpenBSD OpenBSD 3.7 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/005_ssh.patch OpenBSD 3.8 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patch Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux Red Hat Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) https://rhn.redhat.com/ SGI Advanced Linux Environment 3 / RPM / Patch 10321 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS Advanced Linux Environment 3 / SRPM / Patch 10321 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS Red Hat Linux (openssh) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Linux Advanced Workstation 2.1 Itanium Processor https://rhn.redhat.com/ Hewlett-Packard (HPSBUX02178) HP-UX B.11.00 - HP-UX Secure Shell A.04.40.006 HP-UX B.11.11 - HP-UX Secure Shell A.04.40.006 HP-UX B.11.23 - HP-UX Secure Shell A.04.40.007 http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA Apple Mac OS X 10.3.9 Client http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13243&cat=1&platform=osx&method=sa/SecUpd2007-003Pan.dmg Mac OS X 10.3.9 Server http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13244&cat=1&platform=osx&method=sa/SecUpdSrvr2007-003Pan.dmg Mac OS X Server 10.4.9 (PPC) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13236&cat=1&platform=osx&method=sa/MacOSXServerUpd10.4.9PPC.dmg Mac OS X 10.4.9 Combo (PPC) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13206&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.9PPC.dmg Mac OS X 10.4.9 Combo (Intel) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13207&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.9Intel.dmg Mac OS X 10.4.9 (Intel) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13208&cat=1&platform=osx&method=sa/MacOSXUpd10.4.9Intel.dmg Mac OS X 10.4.9 (PPC) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13209&cat=1&platform=osx&method=sa/MacOSXUpd10.4.9PPC.dmg Mac OS X Server 10.4.9 (Universal) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13237&cat=1&platform=osx&method=sa/MacOSXServerUpd10.4.9Univ.dmg Mac OS X Server 10.4.9 Combo (Universal) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13238&cat=1&platform=osx&method=sa/MacOSXSrvrCombo10.4.9Univ.dmg Mac OS X Server 10.4.9 Combo (PPC) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13239&cat=1&platform=osx&method=sa/MacOSXSrvrCombo10.4.9PPC.dmg Sun(102961) Solaris 9 / SPARC / patch 114356-12 Solaris 10 / SPARC / patch 123324-03 Solaris 9 / x86 / patch 114357-11 Solaris 10 / x86 / patch 123325-03 http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage |
|
Standar resources |
|
| Property | Value |
| CVE | CVE-2006-0225 |
| BID | 16369 |
Other resources |
|
|
Bugzilla Bug (174026) – CVE-2006-0225 local to local copy uses shell expansion twice https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026 Secunia Advisory (SA18579) http://secunia.com/advisories/18579 SecurityTracker Alert ID (1015540) http://securitytracker.com/alerts/2006/Jan/1015540.html Mandriva Security Advisory (MDKSA-2006:034) http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:034 OpenBSD Security Advisory Feb 12, 2006 http://www.openbsd.org/security.html SUSE Security Advisory (SUSE-SA:2006:008) http://www.novell.com/linux/security/advisories/2006_08_openssh.html Red Hat Security Advisory (RHSA-2006:0044-14) https://rhn.redhat.com/errata/RHSA-2006-0044.html Red Hat Security Advisory RHSA-2006:0698-8 https://rhn.redhat.com/errata/RHSA-2006-0698.html SGI Security Advisory (20060703-01-U) ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc HP SECURITY BULLETIN (HPSBUX02178) http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=c00815112 Apple Security Update 2007-003 (305214) http://docs.info.apple.com/article.html?artnum=305214 Sun Alert Notification (102961) http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1 |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2006-02-07 |
| 1.1 | Aviso emitido por OpenBSD (Feb 12, 2006) | 2006-02-13 |
| 1.2 | Aviso emitido por Suse (SUSE-SA:2006:008) | 2006-02-15 |
| 1.3 | Aviso emitido por Red Hat (RHSA-2006:0044-14) | 2006-03-08 |
| 1.4 | Aviso emitido por SGI (20060703-01-U) | 2006-08-01 |
| 1.5 | Aviso emitido por Red Hat (RHSA-2006:0698-8) | 2006-10-04 |
| 1.6 | Aviso emitido por HP (HPSBUX02178) | 2006-12-05 |
| 1.7 | Aviso emitido por Apple (305214) | 2007-03-19 |
| 1.8 | Aviso emitido por Sun (102961) | 2007-06-12 |
| 1.9 | Aviso actualizado por Sun (102961) | 2007-06-22 |
| 1.10 | Aviso actualizado por Sun (102961) | 2007-06-27 |
| 1.11 | Aviso actualizado por Sun (102961) | 2007-06-28 |