Re: SFTP chroot: Writable root

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, 2018-01-07 at 18:41 +0000, halfdog wrote:
> Hello list,
> 
> I created a page to demonstrate, what would happen when chroot
> root directory is writeable. In fact, code execution is possible
> already, when only /etc and /bin are writable. I also tried to
> escape the chroot jail, but that did not work for non-root users.
> 
> As the 2009 CVE activities mention, that creating hardlinks
> from outside gives trivial chroot, I showed that any cooperating
> access from the outside - no matter if it is the same user or
> another one - leads to root privilege escalation, even without
> hardlinks, just using the default behaviour of any shared linked
> SUID binary.
> 
> hd
> 
> [0]
> https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution
> /

Thank you for the article describing this issue in understandable
manner. What struck my attention is the reading of the /etc/ssh/sshrc
from chroot.

Is it even correct that OpenSSH is searching for the /etc/ssh/sshrc
file AFTER the chroot?

No, I am not advocating the writable chroots, but is sounds to me
wrong, or at least nothing I would expect. Even though it is not
exploitable out of the box, it might be if one chooses "wrong" names
for users directories (well ... etc/ might not be too uncommon).

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux