Thread: rssh Vulnerability: Command Execution with allowscp
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss
|
From: Vlad G. <vl...@es...> - 2019-01-16 22:09:42
|
Greetings, I'd like to make you aware of the following issue we discovered in rssh. (Most recent version available at: https://esnet-security.github.io/vulnerabilities/20190115_rssh) Regards, --ESnet Security team Issue: -------- We discovered a vulnerability in rssh where users could bypass the "allowscp" restriction and have arbitrary command execution. Background: ----------------- >From the rssh home page[1]: rssh is a restricted shell for use with OpenSSH, allowing only scp and/or > sftp. It now also includes support for rdist, rsync, and cvs. For example, > if you have a server which you only want to allow users to copy files off > of via scp, without providing shell access, you can use rssh to do that. The "allowscp" option is intended to restrict users to only being able to scp files to or from the server, and not be able to run commands on the server. When a user runs scp on their client, an scp command is also run on the server. This runs through rssh (the restricted user's shell), which attempts to verify the arguments are "secure." We can control exactly which scp command is run on the server by supplying it as an argument to ssh. If rssh considers our invocation secure, it will execute that command. Exploit: ---------- The verification that rssh attempts on the scp command is incomplete. The PKCS11Provider option will cause scp to load an arbitrary shared object file. By uploading a malicious .so file which will execute code when loaded, and then setting the PKCS11Provider option to that file, our scp command will execute the code. This option can be invoked one of three ways. In each of these methods, we're using scp to copy a file to localhost over ssh, which causes ssh to be invoked, loading and executing our malicious .so file. Our setup for these commands is: > scp bad.so rssh_user@host: 1. From the command line: > ssh rssh_user@host 'scp -o PKCS11Provider=./bad.so 1 localhost:' 2. Using the default .ssh/config file (uploaded to the server first): > ssh rssh_user@host 'scp 1 localhost:' 3. By specifying our own ssh_config file (uploaded to the server first): > ssh rssh_user@host 'scp -F rssh.config 1 localhost:' With a config file, it's contents should be: > PKCS11Provider ./bad.so Discovery: -------------- For a detailed write-up of how we discovered this issue, see our SANS 2018 Holiday Hack report[2]. Remediation: ----------------- Unknown. The author of rssh replied to our report saying that the software is no longer maintained. Disclosure & Timeline: ----------------------------- Jan 7, 2019: rssh author notified Jan 9, 2019: rssh author replied, saying "RSSH is no longer maintained." Jan 14, 2019: SANS notified Jan 16, 2019: Publication, CVE requested through [Distributed Weakness Filing](https://iwantacve.org), e-mailed rssh-discuss list Credit: --------- This issue was discovered by the ESnet Security Team. It was discovered as part of our participation in the SANS 2018 Holiday Hack Challenge[3]. References: ---------------- [1] - rssh homepage: <http://www.pizzashack.org/rssh/> [2] - ESnet Holiday Hack report: < https://software.es.net/sans-holiday-hack-2018/#org55a074b> [3] - SANS Holiday Hack: <https://www.holidayhackchallenge.com/2018/> |
|
From: Russ A. <ea...@ey...> - 2019-01-18 03:17:24
Attachments:
rssh.patch
|
Vlad Grigorescu <vl...@es...> writes: > I'd like to make you aware of the following issue we discovered in rssh. > (Most recent version available at: > https://esnet-security.github.io/vulnerabilities/20190115_rssh) Thank you for the notice! > Our setup for these commands is: >> scp bad.so rssh_user@host: > 1. From the command line: >> ssh rssh_user@host 'scp -o PKCS11Provider=./bad.so 1 localhost:' > 2. Using the default .ssh/config file (uploaded to the server first): >> ssh rssh_user@host 'scp 1 localhost:' > 3. By specifying our own ssh_config file (uploaded to the server first): >> ssh rssh_user@host 'scp -F rssh.config 1 localhost:' Yeah, this is the typical rssh problem, which is that a blacklist isn't at all sufficient and the server side of these programs support way too many features. Honestly, those of us still using this program should probably abandon it and find some other solution. The programs it tries to support are rather ill-behaved and make this sort of security model almost impossible to maintain, as witness by the fact that things like this keep coming up. But in the name of keeping things limping forward for those of us who haven't migrated yet, I took a quick look at this. Here is a COMPLETELY UNTESTED patch that might fix this problem. If I can find the time, I'll try to do some testing and patch the Debian package. If anyone else who is still using rssh has a chance to look at this, test, do code review, etc., that would be much appreciated. This is based on looking at the source code of OpenSSH 7.9p1, so it's entirely possible that other versions need to pass other arguments that aren't accepted here. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |
|
From: Russ A. <ea...@ey...> - 2019-01-18 03:48:35
|
Russ Allbery <ea...@ey...> writes:
> + for ( ; vec && *vec; vec++ ){
At least one bug: this needs to be
for ( vec++; vec && *vec; vec++ ){
since the first argument is "scp".
I suspect that the rsync protocol is also vulnerable to a version of this
same bug if .ssh/config is writable and is used as the ssh client path and
the ssh binary is available on the server side, by sending an rsync
command that tries to copy a file to localhost: similar to your second
attack example. I believe tightening rssh's check that the rsync command
line starts with --server would address that, since I think (but haven't
confirmed) that will disable remote copies.
It seems likely that there's some way of abusing cvs as well, given its
huge command surface.
--
Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/>
|
|
From: Russ A. <ea...@ey...> - 2019-01-29 05:39:58
|
Russ Allbery <ea...@ey...> writes: > I suspect that the rsync protocol is also vulnerable to a version of > this same bug if .ssh/config is writable and is used as the ssh client > path and the ssh binary is available on the server side, by sending an > rsync command that tries to copy a file to localhost: similar to your > second attack example. I believe tightening rssh's check that the rsync > command line starts with --server would address that, since I think (but > haven't confirmed) that will disable remote copies. > It seems likely that there's some way of abusing cvs as well, given its > huge command surface. Hi all, I finally had a chance to dig into this a little more, since I owe rssh users in Debian stable some security support. The short version is that I think I've patched up the obvious ways to exploit this cluster of vulnerabilities via rsync or scp, but I'm not at all convinced that I've found all the other routes in (and I think it's quite likely there's some lingering way in via the cvs support, since the attack surface for cvs is just so large). Attached are three patches: the first adds argument checking for scp, the second is an update of the earlier rsync patch that tightens its argument checking and requires rsync be put into server mode (which looks like it will prevent initiation of outbound ssh connections, which would be another route to this same exploit), and the third applies argument checking to commands run inside a chroot. It turns out that rssh was never checking arguments if run via a chroot, and I didn't notice because I personally use it as a mild defense in depth where a chroot didn't feel important. (This last was pointed out to me by another list member in private email. I'm not naming you explicitly since I wasn't sure if you wanted to be mentioned on-list, but feel free to claim credit -- that was a great catch!) I've uploaded a new version of the Debian package to unstable with these fixes and will work with the Debian security team on a stable fix. However, once the new Debian package propagates to testing, I expect to request that it be removed (in advance of our upcoming new Debian stable release), so it will not be in the next release of Debian. I think it's time; we know the security model isn't the greatest, and I suspect we'll uncover more problems like this and I don't want to provide security support through another release cycle. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |
|
From: Derek M. <co...@pi...> - 2019-01-23 21:21:21
|
On Thu, Jan 17, 2019 at 07:00:21PM -0800, Russ Allbery wrote: > Honestly, those of us still using this program should probably abandon it > and find some other solution. Yes, although given how hard solving this problem actually is, I don't think there exists any workable solution (for the general case--see below). By the way, AFAICT, the only reasonable alternative to RSSH I know of is scponly, and it looks like it was last updated less recently than RSSH was. I can't speak to how good a job it does at closing up all the holes as I've not tried to evaluate that since circa 2003. > The programs it tries to support are rather ill-behaved and make > this sort of security model almost impossible to maintain, as > witness by the fact that things like this keep coming up. You have no idea. Well, OK, *YOU* have some idea. =8^) The task wass complicated further by people continually asking for support for additional programs or features (which pretty much universally were very obviously not securable, FWIW), and my own caving to some of those requests (CVS, rsync in particular) when I should've known better... As Russ says, these things keep cropping up, as OS features, OpenSSH features, or features of the other tools RSSH is meant to safeguard, evolve. A robust solution would really require the OpenSSH folks to take this problem seriously and build in support to their own tools. Trying to provide a generalized solution is too complicated, and I've long since lost interest in solving the problem. [OpenSSH sort of does this now, since I believe OpenSSH 4.9, including chroot, but AFAIK only for sftp--another reason I "deprioritized" working on RSSH.] For serious security applications, RSSH should be considered insecurable, and unmaintained, from this point on. One of these days, I should really get around to updating the website to reflect that... My thanks to Russ for his efforts with the Debian package, and for providing some level of support when I was not paying much attention, for so long. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Russ A. <ea...@ey...> - 2019-01-29 05:50:50
|
Derek Martin <co...@pi...> writes:
> Yes, although given how hard solving this problem actually is, I don't
> think there exists any workable solution (for the general case--see
> below). By the way, AFAICT, the only reasonable alternative to RSSH I
> know of is scponly, and it looks like it was last updated less recently
> than RSSH was. I can't speak to how good a job it does at closing up
> all the holes as I've not tried to evaluate that since circa 2003.
rush showed up a little while ago in Debian:
http://puszcza.gnu.org.ua/software/rush/
I looked through the documentation a bit, but haven't really examined it.
It has a rather complex configuration language that lets you write various
rules specifying what to allow and deny, but I'm pretty dubious that it's
possible to write good enough rules to make this safe.
rsync comes with a script called rrsync that provides rssh-like
functionality only for the server side of rsync. It fully parses the
command line and tries to make sure that people don't rsync outside of a
particular path, and apparently processes rsync source code to figure out
what options to allow. It *might* be safe?
> The task wass complicated further by people continually asking for
> support for additional programs or features (which pretty much
> universally were very obviously not securable, FWIW), and my own caving
> to some of those requests (CVS, rsync in particular) when I should've
> known better... As Russ says, these things keep cropping up, as OS
> features, OpenSSH features, or features of the other tools RSSH is meant
> to safeguard, evolve.
Yeah, there were a ton more requests for new programs in both Debian and
Ubuntu, and I said yes to one of them (svnserve) and then learned my
lesson and said no to all the rest. People really want some sort of safe
remote restricted shell for various commands, but doing this as a very
simple general wrapper is extremely hard.
> For serious security applications, RSSH should be considered
> insecurable, and unmaintained, from this point on. One of these days, I
> should really get around to updating the website to reflect that...
> My thanks to Russ for his efforts with the Debian package, and for
> providing some level of support when I was not paying much attention,
> for so long.
Thank you for providing a really useful tool! I've made a lot of use of
it over the years as defense in depth where the other end is
semi-privileged, so I'm not super-worried, but I'd still rather limit the
blast radius if something goes wrong. (Mostly for internal backups via
rsync, to be honest.)
It's been a good run. :) Alas, security is really hard.
I may write some really stripped-down version of the same basic idea for
my own use that ignores the command sent by the client and just always
runs rsync --server with a bunch of standard options.
--
Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/>
|
|
From: Derek M. <co...@pi...> - 2019-02-01 20:24:31
|
On Mon, Jan 28, 2019 at 09:50:36PM -0800, Russ Allbery wrote: > I may write some really stripped-down version of the same basic idea for > my own use that ignores the command sent by the client and just always > runs rsync --server with a bunch of standard options. That is obviously the best possible approach, but also obviously gives up all measure of flexibility. Still, it should suffice for the majority of use cases. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2019-02-12 21:19:36
|
On Thu, Jan 17, 2019 at 07:00:21PM -0800, Russ Allbery wrote: > Here is a COMPLETELY UNTESTED patch that might fix this problem. If I can > find the time, I'll try to do some testing and patch the Debian package. > > If anyone else who is still using rssh has a chance to look at this, test, > do code review, etc., that would be much appreciated. This is based on > looking at the source code of OpenSSH 7.9p1, so it's entirely possible > that other versions need to pass other arguments that aren't accepted > here. I believe the patch fails to solve case #2 (the user specifies PKCS11Provider in ~/.ssh/config), which I believe can only be mitigated by preventing the user from uploading such a file, e.g. by providing a "safe" one for the user which is owned by root, not writable by the user, and having the parent (.ssh) directory also not owned by the user and not writable by the user. Another way to mitigate this, I believe, is to specify the system's correct PKCS11Provider (or, I believe, a completely bogus one) in the user's authorized_keys file, in the options field of every authorized key, which overrides whatever the user asked for. Again, the file must not be modifiable by the user. Making sure that the user's ssh config files are not modifiable by the user is a standard part of securing rssh, so if the above is done correctly, IIUC rssh should not actually be vulnerable to this attack at all. It is, as it has always been, the system administrator's responsibility to make sure their system is properly configured to prevent such breaches. I've always tried to offer guidance regarding that, but I've also been very clear (i.e. in the man page) that it's the sysadmin's responsibility to stay current with the various services that are used with rssh, and to configure them properly to prevent bypassing rssh. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Russ A. <ea...@ey...> - 2019-02-13 02:02:41
|
Derek Martin <co...@pi...> writes: > I believe the patch fails to solve case #2 (the user specifies > PKCS11Provider in ~/.ssh/config), which I believe can only be mitigated > by preventing the user from uploading such a file, e.g. by providing a > "safe" one for the user which is owned by root, not writable by the > user, and having the parent (.ssh) directory also not owned by the user > and not writable by the user. This wouldn't surprise me, but could you explain more about why you say that? I don't see anything in scp that would pay attention to the PKCS11Provider configuration in ~/.ssh/config, so as long as scp doesn't run ssh, I'm not seeing the mechanism whereby this code would be loaded. The code to load it seems to only be in ssh.c. > Making sure that the user's ssh config files are not modifiable by the > user is a standard part of securing rssh, so if the above is done > correctly, IIUC rssh should not actually be vulnerable to this attack at > all. It is, as it has always been, the system administrator's > responsibility to make sure their system is properly configured to > prevent such breaches. I've always tried to offer guidance regarding > that, but I've also been very clear (i.e. in the man page) that it's the > sysadmin's responsibility to stay current with the various services that > are used with rssh, and to configure them properly to prevent bypassing > rssh. This is a fair point, and perhaps it's not worth the effort of trying to provide a security guarantee if the user can add files to .ssh or to the user's home directory. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |
Thanks for helping keep SourceForge clean.
X