Vigil@nce: RHEL 5, privilege elevation via OpenSSH ChrootDirectory
October 2009 by Vigil@nce
Since the openssh-4.3p2-36.el5 package, a local attacker can
elevate his privileges via OpenSSH ChrootDirectory.
Severity: 2/4
Consequences: administrator access/rights, privileged access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/10/2009
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The ChrootDirectory directive of OpenSSH indicates the directory
where logged users are chrooted. These users are thus in an
independent area.
The version 4.3p2-36.el5 of the openssh package of RHEL 5 added
the "ChrootDirectory %h" directive, which chroots each user in his
home directory.
However,
– if the user can create a hard link of a suid program in his
home directory, and
– if this program depends on a configuration file (for example
/etc/suidprog/conf),
then, the user can create /home/user/etc/suidprog/conf, in order
to control the suid program.
A local attacker can therefore elevate his privileges.
CHARACTERISTICS
Identifiers: 522141, BID-36552, CVE-2009-2904, RHSA-2009:1470-01,
VIGILANCE-VUL-9063
http://vigilance.fr/vulnerability/RHEL-5-privilege-elevation-via-OpenSSH-ChrootDirectory-9063