Freely subscribe to our NEWSLETTER

Since the openssh-4.3p2-36.el5 package, a local attacker can
elevate his privileges via OpenSSH ChrootDirectory.

Severity: 2/4

Consequences: administrator access/rights, privileged access/rights

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 01/10/2009

IMPACTED PRODUCTS

– Red Hat Enterprise Linux

DESCRIPTION OF THE VULNERABILITY

The ChrootDirectory directive of OpenSSH indicates the directory
where logged users are chrooted. These users are thus in an
independent area.

The version 4.3p2-36.el5 of the openssh package of RHEL 5 added
the "ChrootDirectory %h" directive, which chroots each user in his
home directory.

However,
– if the user can create a hard link of a suid program in his
home directory, and
– if this program depends on a configuration file (for example
/etc/suidprog/conf),
then, the user can create /home/user/etc/suidprog/conf, in order
to control the suid program.

A local attacker can therefore elevate his privileges.

CHARACTERISTICS

Identifiers: 522141, BID-36552, CVE-2009-2904, RHSA-2009:1470-01,
VIGILANCE-VUL-9063

http://vigilance.fr/vulnerability/RHEL-5-privilege-elevation-via-OpenSSH-ChrootDirectory-9063