Re: BUG: simple attack when control channel muxing is used

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 10/11/14 18:20, Christoph Anton Mitterer wrote:
Uhm... no I talk an about evil user,...
As long as the user can create the socket, he can at least trick root
into using it (if that uses the socket from a location as /tmp), just as
my example has shown.
The socket there was owned by user:user and had mode 600... yet root
connected to it without noting.


If one does it the other way round, i.e. root creates the mux:
I tried last week something like this:
root@hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostC

and then:
user@hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostB

It "fails" of course, at least it cannot open the socket and then goes
on an connects normally.

Note that Linux enforces the discretionary permissions set on unix sockets but other
Unix (including the BSD family) doesn't.

The ssh check

if ((euid != 0) && (getuid() != euid)) { error("multiplex uid mismatch: peer euid %u != uid %u", (u_int)euid, (u_int)getuid());

seems precisely to be trying to protect from this (euid is the peer euid).

I guess the (euid != 0) checkis there in case ssh was root setuid? It should probably be changed to if ((euid != 0 && (getuid() != uid)) && (getuid() != euid)) not to make it so easy for a malicious root to use your remote connections (yes, it would need receiving the peer ruid).

However, for the attack shown, there's not so much to win from improving the check at the socket server side. It should be the connecting ssh (ie. root's) the one verifying that the socket
is owned by himself.


That being said,... I haven't checked for any racey hacks...
Sadly, the provided patch has a race condition between the stat and the connect. And I don't think fstat()ing a connected unix socket would give us the owner of the socket inode... :(


Regards


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux