Subsystem sftp invoked even though forced command created

[Jochen Bern]

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote:
> It appears the forced command either does not run or runs to completion
> and exits immediately, as there is no process named "receive.ksh" in
> the process tree.

FWIW, two cents of mine:

-- The script *exiting* should *not* prompt sshd to execute the 
requested subsystem "as a second thought", or else it'd happen all over 
the place.

-- The process' cmdline would state the shell executing the script (ksh, 
I suppose?) rather than the script file.

In the meantime, I received an (off-list) e-mail pointing out that your 
script obviously accepts input from stdin (note the "-T" given to ssh, 
so no tty):

>> The actual command is similar to the following (parameters inserted to protect the source):
>>         (print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \
>>         ssh -Ti ${EmbeddedPrivateKey} ...

and that it's conceivable that WinSCP might send a command line 
executing sftp-server, just in case the server provides it with a login 
shell instead of calling the SFTP subsystem directly; Hence the theory 
that the script has some command injection vulnerability.

Does the exploit still work when you change the authorized_keys from
	command="/.../receive.ksh"
to, e.g.,
	command="/bin/ksh -c '/.../receive.ksh </dev/null'"
to suppress the client's input?

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230706/5dcfee75/attachment.p7s>