Date: Sun, 6 Sep 1998 00:53:24 +0200
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

Maybe some sshd 1.x/2.0 stupidities:
------------------------------------

Unprivledged luser could create symlink in ~/.ssh (or ~/.sshd) to
virtually any file - root's ~/.ssh entries, /dev/urandom or anything else.
Sshd, during login attempt, but before any authorization, will happily
read these files, ignoring ownership (yep, it's running at UID 0). Could
be dangerous, could be not. But even if not, still allows some interesting
DoSes from privledged UID.

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]