Re: rssh Vulnerability: Command Execution with allowscp
Brought to you by:
xystrus
Menu
▾
▴
Re: rssh Vulnerability: Command Execution with allowscp
|
From: Russ A. <ea...@ey...> - 2019-01-18 03:17:24
|
Vlad Grigorescu <vl...@es...> writes: > I'd like to make you aware of the following issue we discovered in rssh. > (Most recent version available at: > https://esnet-security.github.io/vulnerabilities/20190115_rssh) Thank you for the notice! > Our setup for these commands is: >> scp bad.so rssh_user@host: > 1. From the command line: >> ssh rssh_user@host 'scp -o PKCS11Provider=./bad.so 1 localhost:' > 2. Using the default .ssh/config file (uploaded to the server first): >> ssh rssh_user@host 'scp 1 localhost:' > 3. By specifying our own ssh_config file (uploaded to the server first): >> ssh rssh_user@host 'scp -F rssh.config 1 localhost:' Yeah, this is the typical rssh problem, which is that a blacklist isn't at all sufficient and the server side of these programs support way too many features. Honestly, those of us still using this program should probably abandon it and find some other solution. The programs it tries to support are rather ill-behaved and make this sort of security model almost impossible to maintain, as witness by the fact that things like this keep coming up. But in the name of keeping things limping forward for those of us who haven't migrated yet, I took a quick look at this. Here is a COMPLETELY UNTESTED patch that might fix this problem. If I can find the time, I'll try to do some testing and patch the Debian package. If anyone else who is still using rssh has a chance to look at this, test, do code review, etc., that would be much appreciated. This is based on looking at the source code of OpenSSH 7.9p1, so it's entirely possible that other versions need to pass other arguments that aren't accepted here. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |