security flaw in rssh

Derek Martin code at pizzashack.org
Sat Jun 19 17:51:07 EST 2004 

rssh is a small shell whose purpose is to restrict users to using scp
or sftp, and also provides the facilities to place users in a chroot
jail.  It can also be used to lock users out of a system completely.
William F. McCaw identified a minor security flaw in rssh when used
with chroot jails.

There is a bug in rssh 2.0 - 2.1.x which allows a user to gather
information outside of a chrooted jail unintentionally.  The latest
release of rssh fixes this problem, and also improves support for
some non-openssh sftp clients.  Additionally, it extends rssh by
allowing cvs, rsync, and rdist.

The cause of the problem identified by Mr. McCaw is that rssh expanded
command-line arguments prior to entering the chroot jail.  This bug
DOES NOT allow a user to access any of the files outside the jail, but
can allow them to discover what files are in a directory which is
outside the jail, if their credentials on the server would normally
allow them read/execute access in the specified directory.

For example (from William's bug report), if a user has an account on a
server machine which restricts them into a jail using rssh, the
user can use the following command to access the server and see what
files exist in the /etc directory:

  scp target:/etc/* .

The results of this command will look something like this:

  scp: /etc/DIR_COLORS: No such file or directory
  scp: /etc/HOSTNAME: No such file or directory
  scp: /etc/X11: No such file or directory
  scp: /etc/adjtime: No such file or directory
  [ ... ]
  ld.so.cache                                  100%  675     0.0KB/s 00:00
  ld.so.conf                                   100%    0     0.0KB/s 00:00
  [ ... ]
  passwd                                       100%   51     0.0KB/s 00:00
  [ ... ]
  scp: /etc/termcap-Linux: No such file or directory
  scp: /etc/updatedb.conf: No such file or directory
  scp: /etc/warnquota.conf-sample: No such file or directory
  scp: /etc/xml: No such file or directory

The files which succeed in copying exist inside the chroot jail, and
thus should be harmless.  All of the files which produce an error
message exist in the system's /etc directory, but do not exist inside
the chroot jail.  The user is placed in the jail before access to any
of these files is attempted, so again, it is not possible to access
them.  For many sites, this is not a serious issue.  However if it is
important at your site that users not be able to know about any files
which exist outside the chroot jail, then you should upgrade as soon
as possible.

The 2.2.0 release of rssh fixed the problem in question, but was
mistakenly released missing some code for parsing per-user options.  
The 2.2.1 release corrects that problem, and should be the final
release of rssh.  No further development is planned.

You can get the latest release of rssh here:

  http://www.pizzashack.org/rssh/


-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040619/d2931d98/attachment.bin

More information about the openssh-unix-dev mailing list