Title: OpenSSH Client X11 Forwarding Cookie Removal File Symbolic Link Vulnerability
Severity: LOW
Description:
OpenSSH is the free implementation of the SSH client and server protocol. It is maintained by the OpenBSD project, and distributed freely as open source software.
A problem in the checking and removal of files created in the /tmp directory makes it possible for a local user to delete arbitrary files named "cookie".
During normal operation, an ssh client connecting to a server with X11 forwarding enabled causes the creation of a directory in /tmp using the $XAUTHORITY variable for naming. This directory is created with a cookie file inside, which is used to maintain the secure X11 connection between client and server.
The problem occurs when a user with local access connects to the system with forwarding enabled. Upon connecting, the directory and cookie file are created.
A hostile user may rm -r this directory, and create a symbolic link in its place to another directory containing a file named "cookie." Upon termination of the ssh session, the sshd removes the symbolically linked cookie file.
Affected Products:
- FreeBSD FreeBSD 4.4.0
- OpenBSD OpenBSD 2.9.0
- OpenBSD OpenSSH 2.1.1
- OpenBSD OpenSSH 2.2.0 .0
- OpenBSD OpenSSH 2.3.1
- OpenBSD OpenSSH 2.5.2
- OpenBSD OpenSSH 2.5.2 p2
- OpenBSD OpenSSH 2.9.0
- OpenBSD OpenSSH 2.9.0 p1
- RedHat Linux 7.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
