[Bug 2691] New: Add ability to disable escape char forward menu
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 8 09:16:25 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2691
Bug ID: 2691
Summary: Add ability to disable escape char forward menu
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: thomas.jarosch at intra2net.com
Created attachment 2955
--> https://bugzilla.mindrot.org/attachment.cgi?id=2955&action=edit
Patch to make escape char forward menu optional
Hello,
attached patch adds the ability to disable the escape char based
forward menu.
People in support departments routinely ssh into remote machines that
could be potentially compromised by an attacker. If a lengthy process
is started in a terminal emulator like screen(1) or tmux, an attacker
might inject escape sequences to create port forwardings to bypass
local firewalls completely. The attacker might cause a "fault" that
will make use of screen(1) more likely when f.e. trashing a software
RAID on purpose.
Prevent the attack by making the forward menu optional, so it can be
disabled. The menu is enabled by default for compatibility reasons,
though I recommend to disable it in an upcoming release.
I've asked around a few sysadmin friends and none of them has ever
heard about the ~C menu. All of the routinely use screen(1) on jump
boxes though.
Demo exploit using screen(1) can be found here:
https://0xicf.wordpress.com/2015/03/13/hijacking-ssh-to-inject-port-forwards/
Please consider this patch for upstream inclusion.
Cheers,
Thomas
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list