Re: ssh+svn vs. bash security bug?

From: Vincent Lefevre <vincent-svn_at_vinc17.net>
Date: Sat, 27 Sep 2014 00:59:00 +0200

On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
> From what I understand after reading about the problem briefly:
>
> In an svn+ssh setup svn clients run 'svnserve -t' by default.
> But there is no reason this could not be changed to '/bin/bash' by
> an attacker.
>
> Note that forcing a command in the authorized_keys file will *not*
> work around the problem: http://seclists.org/oss-sec/2014/q3/651

How can this be possible? Do you mean that OpenSSH starts the command
with bash instead of some exec* function or /bin/sh (which is dash on
my machines)?

> It should be possible to mitigate this attack vector by having
> svnserve run in an environment that doesn't have bash available,
> either with no bash binary at all on the system, or within a chroot.

The main bug would be that OpenSSH might be able to start bash while
the user has never allowed it.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Received on 2014-09-27 00:59:29 CEST

This message: [ Message body ]
Next message: jblist_at_icloud.com: "Re: ssh+svn vs. bash security bug?"
Previous message: Mohsin Abbas: "Re: SVN Commit Failed For Data larger Than 2 GB [How To Resolve]"
In reply to: Stefan Sperling: "Re: ssh+svn vs. bash security bug?"
Next in thread: jblist_at_icloud.com: "Re: ssh+svn vs. bash security bug?"
Reply: jblist_at_icloud.com: "Re: ssh+svn vs. bash security bug?"
Reply: Philip Martin: "Re: ssh+svn vs. bash security bug?"
Reply: Nico Kadel-Garcia: "Re: ssh+svn vs. bash security bug?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]