lunes, abril 07, 2008

SSH ForceCommand security flaw

ForceCommand is a sshd_config option that lets use the remote ssh to execute a restricted commands, for example vi somefile.

When a SSH session is started the ~/.ssh/rc shell script is executed, the user logged by ssh, has permissions to write into his own rc.

Then if we are allowed to make a vi somefile, we can write into ~/.ssh/rc and write a /bin/bash that will be spawned the next time we enter to the system.

The patch only lets the rc execution when ForceCommand is not enabled (options.adm_forced_command == NULL)


+++ usr.bin/ssh/session.c 27 Mar 2008 10:54:55 -0000
@@ -878,8 +878,9 @@
do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;

- /* ignore _PATH_SSH_USER_RC for subsystems */
- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
+ if (!s->is_subsystem && options.adm_forced_command == NULL &&
+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
if (debug_flag)