[Bug 2311] New: simple attack when control channel muxing is used

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Nov 10 15:06:31 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2311

            Bug ID: 2311
           Summary: simple attack when control channel muxing is used
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: security
          Priority: P3
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.net

Hi.

A thread[0] on the list reminded me about something I've noted a week
or so ago.

It seems that when using control channel multiplexing, ssh (and likely
scp and friends as well) doesn't make any checks on whether the socket
is fully owned by the current user/group, which in turn makes it easy
for an attacker to trick someone else into using an existing channel
(and e.g. upload sensitive data to that system).


A simple test showed, that ssh doesn't employ any security checks...
when it is able to open the socket, it'll use it apparently:

I tried last week something like this:
user at hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostB

and then:
root at hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostC

As you can see, the socket is created by user, and root "accidentally"
uses it, even trying to connect to another node.
ssh will just do so without any complains.

And even when one uses something like %h, %p or that like, an attacker
can easily guess these.


Since it doesn't seem to be documented that the socket must be created
in a secure location and since neither there are any owner checks like
sshd's StrictMode... I'd probably consider that a security hole.

Any further possible attack vectors? Things like the other typical
attacks on /tmp files?

Cheers,
Chris.

[0]
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033124.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list