oss-sec mailing list archives
OpenSSH sftp remote code execution in chroot mode in VERY RARE cases
From: halfdog <me () halfdog net>
Date: Thu, 11 Jan 2018 21:33:59 +0000
Hello list, This sounds worse, but it is not. And it is public anyway, so FYI: With internal-sftp and chroot, sftp still attempts to execute code from /etc/ssh/sshrc. See [0] for more information on testing the issue. It will only affect you when using a writable chroot (which is already documented in man-pages to be insecure) but also some strange configuration settings, e.g. when using ChrootDirectory /home as recommended in [1] and having a user named "etc" and "bin" created. When creating a user "proc" that way, another issue prohibits closing of inherited file descriptors, that then again may leak to the two other users. hd [0] https://www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution/ [1] https://www.tecmint.com/restrict-sftp-user-home-directories-using-chroot/
Current thread:
- OpenSSH sftp remote code execution in chroot mode in VERY RARE cases halfdog (Jan 11)