Vlad Grigorescu <v...@es.net> writes:
> I'd like to make you aware of the following issue we discovered in rssh.
> (Most recent version available at:
> https://esnet-security.github.io/vulnerabilities/20190115_rssh)
Thank you for the notice!
> Our setup for these commands is:
>> scp bad.so rssh_user@host:
> 1. From the command line:
>> ssh rssh_user@host 'scp -o PKCS11Provider=./bad.so 1 localhost:'
> 2. Using the default .ssh/config file (uploaded to the server first):
>> ssh rssh_user@host 'scp 1 localhost:'
> 3. By specifying our own ssh_config file (uploaded to the server first):
>> ssh rssh_user@host 'scp -F rssh.config 1 localhost:'
Yeah, this is the typical rssh problem, which is that a blacklist isn't at
all sufficient and the server side of these programs support way too many
features.
Honestly, those of us still using this program should probably abandon it
and find some other solution. The programs it tries to support are rather
ill-behaved and make this sort of security model almost impossible to
maintain, as witness by the fact that things like this keep coming up.
But in the name of keeping things limping forward for those of us who
haven't migrated yet, I took a quick look at this.
Here is a COMPLETELY UNTESTED patch that might fix this problem. If I can
find the time, I'll try to do some testing and patch the Debian package.
If anyone else who is still using rssh has a chance to look at this, test,
do code review, etc., that would be much appreciated. This is based on
looking at the source code of OpenSSH 7.9p1, so it's entirely possible
that other versions need to pass other arguments that aren't accepted
here.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
diff --git a/util.c b/util.c
index 56f67ad..4dde1a0 100644
--- a/util.c
+++ b/util.c
@@ -268,6 +268,45 @@ static int rsync_e_okay( char **vec )
}
+/*
+ * scp_okay() - take the command line and check that it is a hopefully-safe scp
+ * server command line, accepting only very specific options.
+ * Returns FALSE if the command line should not be allowed, TRUE
+ * if it is okay.
+ */
+static int scp_okay( char **vec )
+{
+ int saw_file = FALSE;
+ int saw_end = FALSE;
+
+ for ( ; vec && *vec; vec++ ){
+ /* Allowed options. */
+ if ( !saw_end ) {
+ if ( strcmp(*vec, "-v") == 0 ) continue;
+ if ( strcmp(*vec, "-r") == 0 ) continue;
+ if ( strcmp(*vec, "-p") == 0 ) continue;
+ if ( strcmp(*vec, "-d") == 0 ) continue;
+ if ( strcmp(*vec, "-f") == 0 ) continue;
+ if ( strcmp(*vec, "-t") == 0 ) continue;
+ }
+
+ /* End of arguments. One more argument allowed after this. */
+ if ( !saw_end && strcmp(*vec, "--") == 0 ){
+ saw_end = TRUE;
+ continue;
+ }
+
+ /* No other options allowed, but allow file starting with -. */
+ if ( *vec[0] == '-' && !saw_end ) return FALSE;
+ if ( saw_file ) return FALSE;
+ saw_file = TRUE;
+ }
+
+ /* We must have seen a single file. */
+ return saw_file;
+}
+
+
/*
* check_command_line() - take the command line passed to rssh, and verify
* that the specified command is one the user is
@@ -283,8 +322,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
return PATH_SFTP_SERVER;
if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){
- /* filter -S option */
- if ( opt_filter(cl, 'S') ) return NULL;
+ if ( !scp_okay(cl) ){
+ fprintf(stderr, "\ninsecure scp option not allowed.");
+ log_msg("insecure scp option in scp command line");
+ return NULL;
+ }
return PATH_SCP;
}
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
