mailing list archives
RE: ssh environment - circumvention of restricted shells
From: Leif Sawyer <lsawyer () gci com>
Date: Wed, 26 Jun 2002 16:41:15 -0800
Markus Friedl responded
On Mon, Jun 24, 2002 at 08:08:12PM -0400, ari wrote:
Given the similarities with certain other security issues,
i'm surprised this hasn't been discussed earlier. If it has,
people simply haven't paid it enough attention.
if you setup restricted accounts with restricted shells and allow
unrestricted writing to .ssh/** then you are lost. same
applies to ftp-only accounts where users have full control over
what's in their $HOME.
so for restricted accounts you have to be very careful, don't
allow writing to $HOME, just to some selected sub directories.
This can cause some problems for ISP's who use the user home directory
for their public_html root. This of course is done to keep the number
of user questions down.
I've tried this 'exploit' on both Linux 2.4.14 (redhat) and Solaris 2.8
boxen, and have been unable to get a shell. The shell process is there,
but fails to communicate with the network socket.
*** However ***, if i replace "/bin/sh" with "ping some.ip.add.ress" and
attempt the connection, i'm greeted with the following:
Last login: today from somehost
Sun Microsystems Inc. SunOS 5.8
ld.so.1: ping: warning: /homes/evil/.ssh/evil.so: open failed:
illegal insecure pathname
some.ip.add.ress is alive
Connection to target closed.
Since i'm not a system programmer, I don't know if the failure is due to me
setting up the tty that /bin/sh will use, or if it's related to the above
I look forward to more information on this so that we can escalate the true
issue and get it solved.