int(2175)

Boletines de Vulnerabilidades


Aumento de privilegios en OpenSSH scp

Clasificación de la vulnerabilidad

Propiedad Valor
Nivel de Confianza Oficial
Impacto Aumento de privilegios
Dificultad Experto
Requerimientos del atacante Acceso remoto con cuenta

Información sobre el sistema

Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado OpenSSH <= 4.2p1

Descripción

Se ha descubierto una vulnerabilidad en OpenSSH versión 4.2p1 y anteriores. La vulnerabilidad reside en el comando scp el cual al hacer copias locales de ficheros no valida correctamente los nombres antes de usarlos en la llamada a system().

Un atacante local podría ejecutar código con los privilegios del usuario que ejecute scp mediante un nombre de fichero que contenga espacios o metacaracteres de línea de comandos.

Solución



Actualización de software

Mandriva

Mandrakelinux 10.1
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-4.3p1-0.1.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-askpass-4.3p1-0.1.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-askpass-gnome-4.3p1-0.1.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-clients-4.3p1-0.1.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/openssh-server-4.3p1-0.1.101mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/openssh-4.3p1-0.1.101mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-4.3p1-0.1.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-askpass-4.3p1-0.1.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-askpass-gnome-4.3p1-0.1.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-clients-4.3p1-0.1.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/openssh-server-4.3p1-0.1.101mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/openssh-4.3p1-0.1.101mdk.src.rpm

Corporate Server 3.0
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-4.3p1-0.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-askpass-4.3p1-0.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-clients-4.3p1-0.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/openssh-server-4.3p1-0.1.C30mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/openssh-4.3p1-0.1.C30mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-4.3p1-0.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-askpass-4.3p1-0.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-clients-4.3p1-0.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/openssh-server-4.3p1-0.1.C30mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/openssh-4.3p1-0.1.C30mdk.src.rpm

Multi Network Firewall 2.0
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-4.3p1-0.1.M20mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-askpass-4.3p1-0.1.M20mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.M20mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-clients-4.3p1-0.1.M20mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/openssh-server-4.3p1-0.1.M20mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/SRPMS/openssh-4.3p1-0.1.M20mdk.src.rpm

Mandrivalinux LE2005
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-4.3p1-0.1.102mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-askpass-4.3p1-0.1.102mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-askpass-gnome-4.3p1-0.1.102mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-clients-4.3p1-0.1.102mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/openssh-server-4.3p1-0.1.102mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/SRPMS/openssh-4.3p1-0.1.102mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-4.3p1-0.1.102mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-askpass-4.3p1-0.1.102mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-askpass-gnome-4.3p1-0.1.102mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-clients-4.3p1-0.1.102mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/openssh-server-4.3p1-0.1.102mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/SRPMS/openssh-4.3p1-0.1.102mdk.src.rpm

Mandrivalinux 2006
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-4.3p1-0.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-askpass-4.3p1-0.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-clients-4.3p1-0.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/openssh-server-4.3p1-0.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/openssh-4.3p1-0.1.20060mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-4.3p1-0.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-askpass-4.3p1-0.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-askpass-gnome-4.3p1-0.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-clients-4.3p1-0.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/openssh-server-4.3p1-0.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/openssh-4.3p1-0.1.20060mdk.src.rpm

OpenBSD
OpenBSD 3.7
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/005_ssh.patch
OpenBSD 3.8
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patch

Suse Linux
Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux

Red Hat
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
https://rhn.redhat.com/

SGI
Advanced Linux Environment 3 / RPM / Patch 10321
ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS
Advanced Linux Environment 3 / SRPM / Patch 10321
ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS

Red Hat Linux (openssh)
Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 Itanium Processor
https://rhn.redhat.com/

Hewlett-Packard (HPSBUX02178)
HP-UX B.11.00 - HP-UX Secure Shell A.04.40.006
HP-UX B.11.11 - HP-UX Secure Shell A.04.40.006
HP-UX B.11.23 - HP-UX Secure Shell A.04.40.007
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

Apple
Mac OS X 10.3.9 Client
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13243&cat=1&platform=osx&method=sa/SecUpd2007-003Pan.dmg
Mac OS X 10.3.9 Server
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13244&cat=1&platform=osx&method=sa/SecUpdSrvr2007-003Pan.dmg
Mac OS X Server 10.4.9 (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13236&cat=1&platform=osx&method=sa/MacOSXServerUpd10.4.9PPC.dmg
Mac OS X 10.4.9 Combo (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13206&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.9PPC.dmg
Mac OS X 10.4.9 Combo (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13207&cat=1&platform=osx&method=sa/MacOSXUpdCombo10.4.9Intel.dmg
Mac OS X 10.4.9 (Intel)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13208&cat=1&platform=osx&method=sa/MacOSXUpd10.4.9Intel.dmg
Mac OS X 10.4.9 (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13209&cat=1&platform=osx&method=sa/MacOSXUpd10.4.9PPC.dmg
Mac OS X Server 10.4.9 (Universal)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13237&cat=1&platform=osx&method=sa/MacOSXServerUpd10.4.9Univ.dmg
Mac OS X Server 10.4.9 Combo (Universal)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13238&cat=1&platform=osx&method=sa/MacOSXSrvrCombo10.4.9Univ.dmg
Mac OS X Server 10.4.9 Combo (PPC)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13239&cat=1&platform=osx&method=sa/MacOSXSrvrCombo10.4.9PPC.dmg

Sun(102961)
Solaris 9 / SPARC / patch 114356-12
Solaris 10 / SPARC / patch 123324-03
Solaris 9 / x86 / patch 114357-11
Solaris 10 / x86 / patch 123325-03
http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage

Identificadores estándar

Propiedad Valor
CVE CVE-2006-0225
BID 16369

Recursos adicionales

Bugzilla Bug (174026) – CVE-2006-0225 local to local copy uses shell expansion twice
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026

Secunia Advisory (SA18579)
http://secunia.com/advisories/18579

SecurityTracker Alert ID (1015540)
http://securitytracker.com/alerts/2006/Jan/1015540.html

Mandriva Security Advisory (MDKSA-2006:034)
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:034

OpenBSD Security Advisory Feb 12, 2006
http://www.openbsd.org/security.html

SUSE Security Advisory (SUSE-SA:2006:008)
http://www.novell.com/linux/security/advisories/2006_08_openssh.html

Red Hat Security Advisory (RHSA-2006:0044-14)
https://rhn.redhat.com/errata/RHSA-2006-0044.html

Red Hat Security Advisory RHSA-2006:0698-8
https://rhn.redhat.com/errata/RHSA-2006-0698.html

SGI Security Advisory (20060703-01-U)
ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc

HP SECURITY BULLETIN (HPSBUX02178)
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=c00815112

Apple Security Update 2007-003 (305214)
http://docs.info.apple.com/article.html?artnum=305214

Sun Alert Notification (102961)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1

Histórico de versiones

Versión Comentario Fecha
1.0 Aviso emitido 2006-02-07
1.1 Aviso emitido por OpenBSD (Feb 12, 2006) 2006-02-13
1.2 Aviso emitido por Suse (SUSE-SA:2006:008) 2006-02-15
1.3 Aviso emitido por Red Hat (RHSA-2006:0044-14) 2006-03-08
1.4 Aviso emitido por SGI (20060703-01-U) 2006-08-01
1.5 Aviso emitido por Red Hat (RHSA-2006:0698-8) 2006-10-04
1.6 Aviso emitido por HP (HPSBUX02178) 2006-12-05
1.7 Aviso emitido por Apple (305214) 2007-03-19
1.8 Aviso emitido por Sun (102961) 2007-06-12
1.9 Aviso actualizado por Sun (102961) 2007-06-22
1.10 Aviso actualizado por Sun (102961) 2007-06-27
1.11 Aviso actualizado por Sun (102961) 2007-06-28

Miembros de

Ministerio de Defensa
CNI
CCN
CCN-CERT