BUG: simple attack when control channel muxing is used (was: Re: ControlMaster question)
Christoph Anton Mitterer
calestyo at scientia.net
Mon Nov 10 15:00:16 EST 2014
Hey.
Interesting that you bring this up now... I've actually looked into this
a week ago but forgot to write a bug report.
A simple test showed, that ssh doesn't employ any security checks...
when it is able to open the socket, it'll use it apparently:
I tried last week something like this:
user at hostA:~$ ssh -o ControlMaster=yes -o ControlPath=/tmp/sshmux hostB
and then:
root at hostA:~$ ssh -o ControlMaster=no -o ControlPath=/tmp/sshmux hostC
As you can see, the socket is created by user, and root "accidentally"
uses it, even trying to connect to another node.
ssh will just do so without any complains.
And even when one uses something like %h, %p or that like, an attacker
can easily guess these.
Since it doesn't seem to be documented that the socket must be created
in a secure location and since neither there are any owner checks like
sshd's StrictMode... I'd probably consider that a security hole.
upstream what do you think?
Cheers,
Chris.
btw: I cannot answer your second question, perhaps one of the developers
knows more about that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141110/9b58ec3d/attachment.bin>
More information about the openssh-unix-dev
mailing list