[Secure-testing-team] Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

[Thorsten Glaser]

Package: openssh-client
Version: 1:7.5p1-7
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Debian maintainer,

I was intending to report this upstream, but, contrary to the documentation
     * [9]openssh-unix-...@mindrot.org This is a public list and is open to 
posting from non-subscribed
       users.
on https://www.openssh.com/report.html the upstream mailing list is not
open for postings, as I got a rejection message…
> Posting by non-members to openssh-unix-...@mindrot.org is currently
> disabled, sorry.
… so please forward this upstream, as is a package maintainer’s duty.

Original message follows:

-----cutting here may damage your screen surface-----
From: Thorsten Glaser <t.gla...@tarent.de>
Message-ID: <alpine.deb.2.20.1708251545580.2...@tglase.lan.tarent.de>
To: openssh-unix-...@mindrot.org
Date: Fri, 25 Aug 2017 15:57:47 +0200 (CEST)
Subject: command line parsing with -- between option and non-option arguments 
completely broken

Hi,

in the process of me fixing CVE-2017-12836 a user noticed a
problem with OpenSSH’s command line parsing.

I’ve verified these on OpenSSH 5.3 (MirBSD) and 7.5p1 (Debian).

So, to begin with, this command _should_ spawn xeyes:

$ ssh -oProxyCommand=xeyes vuxu.org

This command _could_ spawn xeyes on glibc systems, but
probably shouldn’t on POSIX or BSD systems:

$ ssh vuxu.org -oProxyCommand=xeyes

This command properly does not spawn xeyes but tries to
resolve “-oProxyCommand=xeyes” as hostname, correctly failing:

$ ssh -- -oProxyCommand=xeyes

This command *must not* spawn xeyes, but does:

$ ssh -- vuxu.org -oProxyCommand=xeyes

This instead must execute “-oProxyCommand=xeyes” as command
on the remote side.

Interestingly enough, this command works the same and also
mustn’t but also doesn’t:

$ ssh vuxu.org -- -oProxyCommand=xeyes

Now it gets completely weird, this doesn’t spawn xeyes either:

$ ssh -- vuxu.org -- -oProxyCommand=xeyes

This “should” execute “--” as command with “-oProxyCommand=xeyes”
as its first option on the remote site, but judging from the error
| mksh: ProxyCommand=xeyes: unknown option
it instead passes “-oProxyCommand=xeyes” as option to a shell on
the remote side.

I don’t do the security theatre, but this could perhaps be considered
missing command escaping on the remote side (passing what would be a
command as an option to the remote shell) in addition to completely
fucked up option parsing on the local side.

This was first reported by nickserv-auth’d user jn__ on #musl on
Freenode IRC, and leah2 forwarded it to me as current de-facto
maintainer of GNU CVS because I considered adding “--” between
option and nōn-option arguments sufficient for fixing the afore‐
mentioned CVE, judging this effective enough with normal command
line parsing rules (as in getopt(3) on OpenBSD) and given the
.Sx SYNOPSIS
in the ssh manpage.

bye,
//mirabilos

PS: Please keep me in Cc, I’m not subscribed to the list.
-----cutting here may damage your screen surface-----

Thanks!

PS: This affects cvs in wheezy, jessie and stretch but not sid.


-- System Information:
Debian Release: buster/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.11.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.116
ii  dpkg              1.18.24
ii  libc6             2.24-14
ii  libedit2          3.1-20170329-1
ii  libgssapi-krb5-2  1.15.1-2
ii  libselinux1       2.6-3+b2
ii  libssl1.0.2       1.0.2l-2
ii  passwd            1:4.4-4.1
ii  zlib1g            1:1.2.8.dfsg-5

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                  <none>
ii  kwalletcli [ssh-askpass]  3.00-1
pn  libpam-ssh                <none>
pn  monkeysphere              <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]
/etc/ssh/ssh_config changed [not included]

-- no debconf information
_______________________________________________
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team