Re: SFTP chroot: Writable root

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 2018-01-09 at 21:21 +0000, halfdog wrote:
> [...]
> 
> There are multiple weaknesses to be seen:
> 
> * Ssh searches for /proc/[pid]/fd: I do not know, how sftp would
>   react, when that directory is found, but it is not nice, that
>   a hypothetical user "proc" could influence login behavior of
>   other processes
> 
> 907   open("/proc/907/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)
> = -1 ENOENT (No such file or directory)

This is just part of the closefrom() procedure [1] -- it searches for
open file descriptor and if it finds them, it tries to close them. I
don't think there is any straightforward way to exploit it.

[1] https://github.com/openssh/openssh-portable/blob/master/openbsd-com
pat/bsd-closefrom.c#L79


>   Same argument for:
> 
> 906   stat("/usr/lib/openssh/sftp-server", 0x7fff75547e00) = -1
> ENOENT (No such file or directory)
> 
>   (When found, it is still not executed in sftp-internal mode)
> 
> * Loading of sshrc - really bad:
> 
> 907   stat("/etc/ssh/sshrc", 0x7fff75547460) = -1 ENOENT (No such
> file or directory)

This can be a real problem from my point of view.

> * Search for other /etc files - I would not bet, that the passwd
>   parser was hardened against malicious input. Simply not a use case.
> 
> 895   open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
> file or directory)
> 895   open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
> file or directory)
> 895   open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
> file or directory)
> 
> * This is also seems not really nice: if the target directory does
> not
>   exist, login does not stop. But maybe it is a requirement, e.g.
>   to support login to users without having their own home directory.
> 
> 907   chdir("/home/build")              = -1 ENOENT (No such file or
> directory)

This is quite expected, that in chroot, there might not be the real
home directory. Outside of chroot, it would be fatal error [2]. I don't
think there is a way to misuse it in some way.

[2] https://github.com/openssh/openssh-portable/blob/master/session.c#L
1586

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux