Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 31 Jan 2017 16:56:09 +0100
From: Sebastian Krahmer <krahmer@...e.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9)
 can lead to local privesc on Linux

Hi


On Thu, Jan 26, 2017 at 06:35:12PM +0100, Noryungi wrote:
> Does not work on centos 7.1 (unpatched) running stock openssh.
> 
> TTY capture works, /tmp/sh is created but user is unprivileged.

I can confirm that the exploit is working on a vanilla 4.1.6 kernel
with openssh 6.8. I was a bit puzzled because wrong modes on ttys by itself
should no longer be exploitable on Linux.

Here are my 2ct:

1) Exploit evades the controlling-tty entry-check inside kernels tiocsti()
   that was introduced to cope with hijacking of tty's based on wrong
   modes. Obviously that 'hardening' failed here. Why?
2) Because of glibc's openpty() as called by openssh opens
   the slave device with O_NOCTTY (it has to do so). This leaves
   tiocsti() with pants down, since there is no "controlling owner"
   for this tty yet and the attacker is free to catch on it.
3) The wrong mode (0622) is set, and later openssh calls ioctl(TIOCSCTTY)
   to claim it as the controlling tty for the shell.
   -> The race happens in between them and its just a few syscalls

So the race that needs to be won is actually against the kernels
tiocsti() check, as the wrong mode stays much longer. If the race is
lost, its likely that the open still succeeds, but the injection of
commands is no longer possible. That might explain why the bug was
flagged as "local DoS".

If the race fails, the exploit loop could be tightened to close any fd's in the child,
so the open() automatically gets it as controlling tty and the race
is easier to win.

Kudos to the exploit dev who has PoC||GTFO'ed us.

Sebastian



> 
> On Jan 26, 2017 5:52 PM, <up201407890@...nos.dcc.fc.up.pt> wrote:
> 
> > Hi list,
> >
> > I know I'm late to the party, but I was bored, so I decided to write an
> > exploit for CVE-2015-6565 which affects OpenSSH 6.8-6.9
> > It is mostly considered to be a "DoS", even though Jann Horn publicly told
> > how it could be exploited for local privilege escalation, but I guess its
> > either PoC||GTFO for users to update.
> >
> > From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565
> >
> > "sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY
> > devices, which allows local users to cause a denial of service (terminal
> > disruption) or possibly have unspecified other impact by writing to a
> > device, as demonstrated by writing an escape sequence."
> >
> > I think the description should be updated.
> >
> > $ gcc not_an_sshnuke.c -o not_an_sshnuke
> > $ ./not_an_sshnuke /dev/pts/3
> > [*] Waiting for slave device /dev/pts/3
> > [+] Got PTY slave /dev/pts/3
> > [+] Making PTY slave the controlling terminal
> > [+] SUID shell at /tmp/sh
> > $ /tmp/sh --norc --noprofile -p
> > # id
> > euid=0(root) groups=0(root)
> >
> > Thanks,
> > Federico Bento.
> >
> >
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.
> >

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.com - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.