[Bug 2691] New: Add ability to disable escape char forward menu

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 8 09:16:25 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2691

            Bug ID: 2691
           Summary: Add ability to disable escape char forward menu
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: thomas.jarosch at intra2net.com

Created attachment 2955
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2955&action=edit
Patch to make escape char forward menu optional

Hello,

attached patch adds the ability to disable the escape char based
forward menu.

People in support departments routinely ssh into remote machines that
could be potentially compromised by an attacker. If a lengthy process
is started in a terminal emulator like screen(1) or tmux, an attacker
might inject escape sequences to create port forwardings to bypass
local firewalls completely. The attacker might cause a "fault" that
will make use of screen(1) more likely when f.e. trashing a software
RAID on purpose.

Prevent the attack by making the forward menu optional, so it can be
disabled. The menu is enabled by default for compatibility reasons,
though I recommend to disable it in an upcoming release.

I've asked around a few sysadmin friends and none of them has ever
heard about the ~C menu. All of the routinely use screen(1) on jump
boxes though.

Demo exploit using screen(1) can be found here:
https://0xicf.wordpress.com/2015/03/13/hijacking-ssh-to-inject-port-forwards/

Please consider this patch for upstream inclusion.

Cheers,
Thomas

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list