SFTP chroot: Writable root

Jakub Jelen jjelen at redhat.com
Wed Jan 10 20:05:43 AEDT 2018 

On Tue, 2018-01-09 at 21:21 +0000, halfdog wrote:
> [...]
> 
> There are multiple weaknesses to be seen:
> 
> * Ssh searches for /proc/[pid]/fd: I do not know, how sftp would
>   react, when that directory is found, but it is not nice, that
>   a hypothetical user "proc" could influence login behavior of
>   other processes
> 
> 907   open("/proc/907/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)
> = -1 ENOENT (No such file or directory)

This is just part of the closefrom() procedure [1] -- it searches for
open file descriptor and if it finds them, it tries to close them. I
don't think there is any straightforward way to exploit it.

[1] https://github.com/openssh/openssh-portable/blob/master/openbsd-com
pat/bsd-closefrom.c#L79


>   Same argument for:
> 
> 906   stat("/usr/lib/openssh/sftp-server", 0x7fff75547e00) = -1
> ENOENT (No such file or directory)
> 
>   (When found, it is still not executed in sftp-internal mode)
> 
> * Loading of sshrc - really bad:
> 
> 907   stat("/etc/ssh/sshrc", 0x7fff75547460) = -1 ENOENT (No such
> file or directory)

This can be a real problem from my point of view.

> * Search for other /etc files - I would not bet, that the passwd
>   parser was hardened against malicious input. Simply not a use case.
> 
> 895   open("/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
> file or directory)
> 895   open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
> file or directory)
> 895   open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
> file or directory)
> 
> * This is also seems not really nice: if the target directory does
> not
>   exist, login does not stop. But maybe it is a requirement, e.g.
>   to support login to users without having their own home directory.
> 
> 907   chdir("/home/build")              = -1 ENOENT (No such file or
> directory)

This is quite expected, that in chroot, there might not be the real
home directory. Outside of chroot, it would be fatal error [2]. I don't
think there is a way to misuse it in some way.

[2] https://github.com/openssh/openssh-portable/blob/master/session.c#L
1586

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list