Security implications of using ControlMaster

Stephen Harris lists at
Tue Jan 21 12:32:01 AEDT 2020

On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote:
> I wouldn't say it's a lot harder to take control of current connections -
> writing a ptrace-based tool that hijacked a running ssh client and
> injected a one-off implant payload via keystrokes doesn't seem like
> much work.

* Injection of key strokes into an existing channel may be detected
  just because "hey, I didn't type foobar" so why is it on my screen.
  A new shell on a different channel won't show so obviously.

* That's a lot harder than just getting a whole new shell without writing
  any tools; just use the existing ssh command line.  Tool-less compromise
  is a higher risk vector 'cos it's harder for monitoring tools to detect.



More information about the openssh-unix-dev mailing list