OpenSSH Client X11 Forwarding Cookie Removal File Symbolic Link Vulnerability

OpenSSH is the free implementation of the SSH client and server protocol. It is maintained by the OpenBSD project, and distributed freely as open source software.

A problem with OpenSSH makes it possible to delete arbitrary files. By connecting to a system over ssh and using X11 forwarding, a file is created in the /tmp directory as a result of the X11 forwarding. By linking the directory contained in /tmp to another directory containing the file "cookie", the cookie file will be removed by sshd upon termination of the session.

This makes it possible for a local user to arbitrary delete a cookie file belonging to another user.


Privacy Statement
Copyright 2010, SecurityFocus