Re: BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 2014-11-10 at 08:14 +0000, mancha wrote: 
> The socket is created with a umask of 0177 so you should end up with
> socket perms of 0600 or thereabouts. Standard ACLs kick in.
Sure,... but that alone doesn't help...

>  If the
> threat model includes an evil root though
Uhm... no I talk an about evil user,...
As long as the user can create the socket, he can at least trick root
into using it (if that uses the socket from a location as /tmp), just as
my example has shown.
The socket there was owned by user:user and had mode 600... yet root
connected to it without noting.


If one does it the other way round, i.e. root creates the mux:
I tried last week something like this:
root@hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostC

and then:
user@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostB

It "fails" of course, at least it cannot open the socket and then goes
on an connects normally.

Now assuming root wouldn't be evil, but accidentally set o+rw:
root@hostA:~$ chmod o+rw /tmp/sshmux

and then trying:
user@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostB

ssh exits with $?=141 but not giving any further warning/error

The ssh of the mux however (when in -v) gives:
>debug1: multiplexing control connection
>multiplex uid mismatch: peer euid 1000 != uid 0
to stderr


The same seems to be the case when trying with two normal users, i.e.
user1@hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostC
user1@hostA:~$ chmod o+rw /tmp/sshmux

user2@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostB

debug1: multiplexing control connection
multiplex uid mismatch: peer euid 1000 != uid 1001


So it only seems to work that a normal user tricks root into using an
alien socket.
That being said,... I haven't checked for any racey hacks...


> Regarding possible racey mischief, the socket is created "pseudo
> atomically".
> 
> That said, an ownership check that prevents, among other things, root
> from accidentally falling through a wormhole wouldn't be bad. Attached
> patch against 6.7p1 should do.

Wouldn't it be the enough to simply check whether
- the socket is owned by the same user
- has mode 600
- and directory permissions are such, that another user couldn't have
changed this (thinking of ACLs for that)


> PS Patch also at:
> http://sf.net/projects/mancha/files/misc/openssh-6.7p1_socket-owner.diff
mhh I get a HTTP 500 internal server error?!


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux