Re: openssh on linux rce in sftp-only mode

[Vitor Ventura <ventura.vitor () gmail com>]

Yes you do need to connect to it via ptrace, in order to read the mem.
Em 08/10/2014 22:58, "Jann Horn" <jann () thejh net> escreveu:

> On Wed, Oct 08, 2014 at 03:32:23PM -0400, Josh Bressers wrote:
> > > I reported this to the OpenSSH developers, and although they included
> my
> > > patch as a mitigation, they did not treat it as a vuln in OpenSSH.
> > >
> > > I believe that treating this as a hardening patch makes sense. The SFTP
> > > server behaves exactly as documented, it allows access to the whole
> > > filesystem. And on Linux, that happens to equal write access to the
> > > process RAM, so you should never give that access to someone who
> > > shouldn't be able to run arbitrary code.
> >
> > I think one has to assume if a user has unrestricted sftp access, they
> can
> > figure out how to do most anything. Even with the upstream hardening
> patch,
> > it really only protects the sftpd process. Any other processes the user
> may
> > own could be modified.
>
> Not that easily - /proc/$pid/mem requires you to either be the same process
> or be attached to it via ptrace, I think.