Security implications of using ControlMaster
Harald Wagener
wagener at gmail.com
Tue Jan 21 18:26:09 AEDT 2020
Stephen Harris <lists at spuddy.org> schrieb am Di., 21. Jan. 2020, 02:39:
> On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote:
> > I wouldn't say it's a lot harder to take control of current connections -
> > writing a ptrace-based tool that hijacked a running ssh client and
> > injected a one-off implant payload via keystrokes doesn't seem like
> > much work.
>
> * Injection of key strokes into an existing channel may be detected
> just because "hey, I didn't type foobar" so why is it on my screen.
> A new shell on a different channel won't show so obviously.
>
`~.` is a nice keystroke sequence to inject because it disconnects the
session and you will likely not even see the input on screen.
An unsuspecting victim would assume a network glitch and reconnect,
yielding a new (and controllable by the attacker) session.
Best,
Harald
PS this is veering offtopic, but a simple `Ctrl-C Ctrl-D` might be even
less suspicious. Combine this with `Ctrl-S` and `Ctrl-Q` and unless you
have full input stream logging you will have a lot of opportunities of
messing with existing connections unnoticed.
More information about the openssh-unix-dev
mailing list