Jason DiCioccio said the following on Mon, Jun 04, 2001 at 09:08:26AM -0700,
> Also: SSH Version OpenSSH_2.3.0 [EMAIL PROTECTED] 20010321 -- That comes
> with FreeBSD 4.3-STABLE
> is not vulnerable at first glance. It does not appear to use /tmp files
> as yours does and therefore is not vulnerable.
I tested it on OpenSSH_2.5.2 on OpenBSD and it worked. I had to enable X
forwarding on the client and server before the remote machine would create
(and attempt to unlink() ) the cookies file.
The offending code is in session.c in the xauthfile_cleanup_proc() function
<SNIP>
/*
* Remove local Xauthority file.
*/
void
xauthfile_cleanup_proc(void *ignore)
{
debug("xauthfile_cleanup_proc called");
if (xauthfile != NULL) {
char *p;
unlink(xauthfile);
</SNIP>
where xauthfile points to a buffer containing the name of the cookies file.
Cheers.
--
Jerry Connolly Computer Incident Response Team
[EMAIL PROTECTED] Eircom Multimedia
