{"id":128,"date":"2008-07-24T08:03:10","date_gmt":"2008-07-24T06:03:10","guid":{"rendered":"https:\/\/blogs.ua.es\/jgaliana\/?p=128"},"modified":"2008-07-24T08:26:17","modified_gmt":"2008-07-24T06:26:17","slug":"otro-mas-debian-openssh-remote-selinux-privilege-elevation-exploit-auth","status":"publish","type":"post","link":"https:\/\/blogs.ua.es\/jgaliana\/2008\/07\/24\/otro-mas-debian-openssh-remote-selinux-privilege-elevation-exploit-auth\/","title":{"rendered":"Otro m\u00e1s: Debian OpenSSH Remote SELinux Privilege Elevation Exploit"},"content":{"rendered":"<p>Hola,<\/p>\n<p>Ya que saqu\u00e9 el tema comentando el otro d\u00eda los amores y desamores de Debian y OpenSSL <a href=\"https:\/\/blogs.ua.es\/jgaliana\/2008\/07\/22\/mas-sobre-el-caso-debianopenssl\/\">[1]<\/a> y <a href=\"https:\/\/blogs.ua.es\/jgaliana\/2008\/07\/22\/guia-de-bolsillo-de-openssl\/\">[2]<\/a>, en este caso os traigo otro bug en el paquete OpenSSH en conjunto con <a href=\"http:\/\/www.nsa.gov\/selinux\/\">SELinux<\/a> (Security-Enhanced Linux, proyecto de la NSA de EEUU) en Debian (y seg\u00fan publican posiblemente en otros derivados como Ubuntu, o quiz\u00e1 tambi\u00e9n Fedora\/RHEL). Podeis estar tranquilos si usais la \u00faltima versi\u00f3n de OpenSSH porque no est\u00e1 afectada.<\/p>\n<p>El problema consiste en que es posible escalar privilegios remotamente, debido a que se puede setear arbitrareamente los roles SELinux cuando OpenSSH est\u00e1 compilado con <strong>&#8211;with-selinux<\/strong> introduciendolo despu\u00e9s de una &#8220;\/&#8221;. El parche (diff) que introdujo Debian fue este:<\/p>\n<p><code>+\t\tauthctxt-&gt;role = role ? xstrdup(role) : NULL; <\/code><\/p>\n<p>La sintaxis de ssh queda de esta manera:<\/p>\n<p><code>ssh -lusername:[style]\/&lt;arbritrary SELinux role&gt; host<\/code><\/p>\n<p><a href=\"http:\/\/www.milw0rm.com\/exploits\/6094\">Aqu\u00ed teneis los detalles t\u00e9cnicos<\/a><\/p>\n<p>Saludos<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hola, Ya que saqu\u00e9 el tema comentando el otro d\u00eda los amores y desamores de Debian y OpenSSL [1] y [2], en este caso os traigo otro bug en el paquete OpenSSH en conjunto con SELinux (Security-Enhanced Linux, proyecto de la NSA de EEUU) en Debian (y seg\u00fan publican posiblemente en otros derivados como Ubuntu, [&hellip;]<\/p>\n","protected":false},"author":139,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[481],"tags":[1619,1630,847,8031],"class_list":["post-128","post","type-post","status-publish","format-standard","hentry","category-debian","tag-openssh","tag-selinux","tag-ssh","tag-sysadmin"],"_links":{"self":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/posts\/128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/users\/139"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/comments?post=128"}],"version-history":[{"count":0,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/posts\/128\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/media?parent=128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/categories?post=128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.ua.es\/jgaliana\/wp-json\/wp\/v2\/tags?post=128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}