Thread: Re: rssh security announcement
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss
|
From: Derek M. <co...@pi...> - 2012-05-08 18:29:27
|
[Resent to correct recpients; moderators, please approve THIS message.] rssh is a shell for restricting SSH access to a machine to only scp, sftp, or a small set of similar applications. http://www.pizzashack.org/rssh/ Henrik Erkkonen has discovered that, through clever manipulation of environment variables on the ssh command line, it is possible to circumvent rssh. As far as I can tell, there is no way to effect a root compromise, except of course if the root account is the one you're attempting to protect with rssh... This project is old, and I have no interest in continuing to maintain it. I looked for easy solutions to the problem, but in discussing them with Henrik, none which we found satisfactorily address the problem. Fixing this properly will require more work than I want to put into it. Note in particular that ensuring that the AcceptEnv sshd configuration option need not be turned on for this exploit to work. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Nico Kadel-G. <nk...@gm...> - 2012-05-09 00:50:18
|
On Tue, May 8, 2012 at 2:14 PM, Derek Martin <co...@pi...> wrote: > [Resent to correct recpients; moderators, please approve THIS > message.] > > rssh is a shell for restricting SSH access to a machine to only scp, > sftp, or a small set of similar applications. > > http://www.pizzashack.org/rssh/ > > Henrik Erkkonen has discovered that, through clever manipulation of > environment variables on the ssh command line, it is possible to > circumvent rssh. As far as I can tell, there is no way to effect a > root compromise, except of course if the root account is the one > you're attempting to protect with rssh... > That..... is a big, big problem. I've occasionally used it for root access for backup operations and remote init script management or various "trap" events from bug reporting. > This project is old, and I have no interest in continuing to maintain > it. I looked for easy solutions to the problem, but in discussing > them with Henrik, none which we found satisfactorily address the > problem. Fixing this properly will require more work than I want to > put into it. > > Note in particular that ensuring that the AcceptEnv sshd configuration > option need not be turned on for this exploit to work. > Is it still a problem with OpenSSH version 6, which was recently published? |
|
From: Derek M. <co...@pi...> - 2012-05-09 17:37:08
|
On Tue, May 08, 2012 at 08:50:11PM -0400, Nico Kadel-Garcia wrote: > Is it still a problem with OpenSSH version 6, which was > recently published? Yes. The flaw is in how rssh parses command lines, irrespective of what SSH implementation is used. I've been a bit vague about the details for the moment; I'm hoping that the announcement will generate some interest in taking over the maintenance of the project. I'd like to have some sense of what will happen next before the full details are disclosed. If someone wants to step forward, it would be good to give them a chance to fix it before that happens. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Russ A. <rr...@st...> - 2012-05-09 17:44:07
|
Derek Martin <co...@pi...> writes: > On Tue, May 08, 2012 at 08:50:11PM -0400, Nico Kadel-Garcia wrote: >> Is it still a problem with OpenSSH version 6, which was >> recently published? > Yes. The flaw is in how rssh parses command lines, irrespective of what > SSH implementation is used. I've been a bit vague about the details for > the moment; I'm hoping that the announcement will generate some interest > in taking over the maintenance of the project. I'd like to have some > sense of what will happen next before the full details are disclosed. > If someone wants to step forward, it would be good to give them a chance > to fix it before that happens. I can't realistically offer to take over upstream development, as I have too much else on my plate, but I plan on continuing to maintain the Debian package for rssh unless the security situation is untenable, and I'm happy to help at least with merging the current Debian patches and trying to review other changes. Particularly if the source ended up on Github or some other public Git hosting facility that's a little less annoying than Sourceforge, but I can deal with Sourceforge if that's what people really want to use. So if someone else is willing to step up, I can at least offer to have you not be alone. :) -- Russ Allbery (rr...@st...) <http://www.eyrie.org/~eagle/> |
|
From: Derek M. <co...@pi...> - 2012-06-05 23:01:03
Attachments:
rssh.2.3.4.patch
|
On Tue, May 15, 2012 at 10:46:04AM -0500, Derek Martin wrote: > On Tue, May 08, 2012 at 12:24:52PM -0500, Derek Martin wrote: > > Henrik Erkkonen has discovered that, through clever manipulation of > > environment variables on the ssh command line, it is possible to > > circumvent rssh. As far as I can tell, there is no way to effect a > > root compromise, except of course if the root account is the one > > you're attempting to protect with rssh... > > > > Actually, I have a patch for this. I'll be publishing it later this > week, when I can find some time to do it. I haven't had the time to work up a proper release for this issue, but I do have a patch, which is attatched. Hopefully I'll get some time to do a release this weekend. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2012-06-05 23:29:28
Attachments:
rssh.2.3.4.patch
|
On Tue, May 15, 2012 at 10:46:04AM -0500, Derek Martin wrote: > On Tue, May 08, 2012 at 12:24:52PM -0500, Derek Martin wrote: > > Henrik Erkkonen has discovered that, through clever manipulation of > > environment variables on the ssh command line, it is possible to > > circumvent rssh. As far as I can tell, there is no way to effect a > > root compromise, except of course if the root account is the one > > you're attempting to protect with rssh... > > > > This project is old, and I have no interest in continuing to maintain > > it. > > Actually, I have a patch for this. I'll be publishing it later this > week, when I can find some time to do it. I haven't had the time to work up a proper release for this issue, but I do have a patch, which is attatched. Hopefully I'll get some time to do a release this weekend. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2012-11-28 00:29:16
|
All, Today I released rssh-2.3.4, which fixes an old issue, and a new issue: On Tue, May 08, 2012 at 01:14:26PM -0500, Derek Martin wrote: > rssh is a shell for restricting SSH access to a machine to only scp, > sftp, or a small set of similar applications. > > http://www.pizzashack.org/rssh/ > > Henrik Erkkonen has discovered that, through clever manipulation of > environment variables on the ssh command line, it is possible to > circumvent rssh. As far as I can tell, there is no way to effect a > root compromise, except of course if the root account is the one > you're attempting to protect with rssh... This was CVE-2012-3478, for which I had originally only posted a patch to the rssh mailing list. It is now fixed in the new release. The new issue is CVE-2012-2252, which involves improper filtering of the rsync command line, when rsync support is configured. This may be somewhat of a non-issue for recent stock rssh installations, as stock rssh does not support newer rsync binaries which use -e to specify the rsync protocol; thus if you're using rssh with a recent istallation, rsync does not work for you anyway, and you therefore most likely have it disabled by config. Nevertheless, it is a legitimate security concern if you have rsync enabled in the configuration. This also is fixed in 2.3.4. This release also includes some mostly trivial updates for the build and a bit of minor code clean-up. For people using rssh packages from Debian, Red Hat, or one of their derivatives, a third vulnerability was recently discovered, assigned CVE-2012-2251. This issue exists only in a third-party patch to make rssh work with newer rsync binaries. Stock rssh *is not vulnerable* to this issue. However if you are relying on your vendor to package rssh, this likely affects you. Lastly, since the vendors are providing their own packages, and I'm no longer set up to build RPMs, I am no longer providing rssh in RPM form. Please be sure to update rssh to v2.3.4, either by downloading and compiling from the website, or by updating your vendor's packages. http://www.pizzashack.org/rssh/downloads.shtml Thank you. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Russ A. <rr...@st...> - 2012-11-28 00:27:15
Attachments:
rsync-protocol.diff
|
Derek Martin <co...@pi...> writes: > This was CVE-2012-3478, for which I had originally only posted a patch > to the rssh mailing list. It is now fixed in the new release. > The new issue is CVE-2012-2252, which involves improper filtering of the > rsync command line, when rsync support is configured. This may be > somewhat of a non-issue for recent stock rssh installations, as stock > rssh does not support newer rsync binaries which use -e to specify the > rsync protocol; thus if you're using rssh with a recent istallation, > rsync does not work for you anyway, and you therefore most likely have > it disabled by config. Nevertheless, it is a legitimate security > concern if you have rsync enabled in the configuration. This also is > fixed in 2.3.4. > This release also includes some mostly trivial updates for the build > and a bit of minor code clean-up. > For people using rssh packages from Debian, Red Hat, or one of their > derivatives, a third vulnerability was recently discovered, assigned > CVE-2012-2251. This issue exists only in a third-party patch to make > rssh work with newer rsync binaries. Stock rssh *is not vulnerable* to > this issue. However if you are relying on your vendor to package rssh, > this likely affects you. Attached is the updated version of the patch used in Debian to permit the rsync reuse of the -e option to convey protocol information, for those who may be applying this patch to their own builds. This has not yet been updated to be based on the 2.3.4 release and is still based on 2.3.3. I'll be updating the Debian packaging to the new 2.3.4 release in the coming months. -- Russ Allbery (rr...@st...) <http://www.eyrie.org/~eagle/> |
|
From: Nico Kadel-G. <nk...@gm...> - 2012-11-28 13:11:52
|
On Tue, Nov 27, 2012 at 6:59 PM, Derek Martin <co...@pi...> wrote: > All, > > Today I released rssh-2.3.4, which fixes an old issue, and a new > issue: > Lastly, since the vendors are providing their own packages, and I'm no > longer set up to build RPMs, I am no longer providing rssh in RPM > form. Please be sure to update rssh to v2.3.4, either by downloading > and compiling from the website, or by updating your vendor's packages. > > http://www.pizzashack.org/rssh/downloads.shtml Any chance I can talk you into submitting an update request at redhat.bugizlla.com? As the author of rssh, I suspect they'll take your update suggestion a lot more seriously than mine. |
|
From: Russ A. <rr...@st...> - 2012-11-28 20:19:30
|
Nico Kadel-Garcia <nk...@gm...> writes: > Any chance I can talk you into submitting an update request at > redhat.bugizlla.com? As the author of rssh, I suspect they'll take > your update suggestion a lot more seriously than mine. The security issue was coordinated with the Red Hat security team, so I suspect it's already on their radar. -- Russ Allbery (rr...@st...) <http://www.eyrie.org/~eagle/> |
Thanks for helping keep SourceForge clean.
X