On Tue, 2018-01-09 at 21:21 +0000, halfdog wrote: > [...] > > There are multiple weaknesses to be seen: > > * Ssh searches for /proc/[pid]/fd: I do not know, how sftp would > react, when that directory is found, but it is not nice, that > a hypothetical user "proc" could influence login behavior of > other processes > > 907 open("/proc/907/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) > = -1 ENOENT (No such file or directory) This is just part of the closefrom() procedure [1] -- it searches for open file descriptor and if it finds them, it tries to close them. I don't think there is any straightforward way to exploit it. [1] https://github.com/openssh/openssh-portable/blob/master/openbsd-com pat/bsd-closefrom.c#L79 > Same argument for: > > 906 stat("/usr/lib/openssh/sftp-server", 0x7fff75547e00) = -1 > ENOENT (No such file or directory) > > (When found, it is still not executed in sftp-internal mode) > > * Loading of sshrc - really bad: > > 907 stat("/etc/ssh/sshrc", 0x7fff75547460) = -1 ENOENT (No such > file or directory) This can be a real problem from my point of view. > * Search for other /etc files - I would not bet, that the passwd > parser was hardened against malicious input. Simply not a use case. > > 895 open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such > file or directory) > 895 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such > file or directory) > 895 open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such > file or directory) > > * This is also seems not really nice: if the target directory does > not > exist, login does not stop. But maybe it is a requirement, e.g. > to support login to users without having their own home directory. > > 907 chdir("/home/build") = -1 ENOENT (No such file or > directory) This is quite expected, that in chroot, there might not be the real home directory. Outside of chroot, it would be fatal error [2]. I don't think there is a way to misuse it in some way. [2] https://github.com/openssh/openssh-portable/blob/master/session.c#L 1586 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev