SFTP chroot: Writable root

Jakub Jelen jjelen at redhat.com
Mon Jan 8 23:37:08 AEDT 2018


On Sun, 2018-01-07 at 18:41 +0000, halfdog wrote:
> Hello list,
> 
> I created a page to demonstrate, what would happen when chroot
> root directory is writeable. In fact, code execution is possible
> already, when only /etc and /bin are writable. I also tried to
> escape the chroot jail, but that did not work for non-root users.
> 
> As the 2009 CVE activities mention, that creating hardlinks
> from outside gives trivial chroot, I showed that any cooperating
> access from the outside - no matter if it is the same user or
> another one - leads to root privilege escalation, even without
> hardlinks, just using the default behaviour of any shared linked
> SUID binary.
> 
> hd
> 
> [0]
> https:///www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution
> /

Thank you for the article describing this issue in understandable
manner. What struck my attention is the reading of the /etc/ssh/sshrc
from chroot.

Is it even correct that OpenSSH is searching for the /etc/ssh/sshrc
file AFTER the chroot?

No, I am not advocating the writable chroots, but is sounds to me
wrong, or at least nothing I would expect. Even though it is not
exploitable out of the box, it might be if one chooses "wrong" names
for users directories (well ... etc/ might not be too uncommon).

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.



More information about the openssh-unix-dev mailing list