On 05.07.23 18:01, MCMANUS, MICHAEL P wrote:
It appears the forced command either does not run or runs to completion and exits immediately, as there is no process named "receive.ksh" in the process tree.
FWIW, two cents of mine:-- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen all over the place.
-- The process' cmdline would state the shell executing the script (ksh, I suppose?) rather than the script file.
In the meantime, I received an (off-list) e-mail pointing out that your script obviously accepts input from stdin (note the "-T" given to ssh, so no tty):
The actual command is similar to the following (parameters inserted to protect the source): (print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \ ssh -Ti ${EmbeddedPrivateKey} ...
and that it's conceivable that WinSCP might send a command line executing sftp-server, just in case the server provides it with a login shell instead of calling the SFTP subsystem directly; Hence the theory that the script has some command injection vulnerability.
Does the exploit still work when you change the authorized_keys from command="/.../receive.ksh" to, e.g., command="/bin/ksh -c '/.../receive.ksh </dev/null'" to suppress the client's input? Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
