[UNIX] Rssh Root Privileges Escalation



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Rssh Root Privileges Escalation
------------------------------------------------------------------------


SUMMARY

" <http://www.pizzashack.org/rssh/index.shtml> rssh is a restricted shell
for use with OpenSSH, allowing only scp and/or sftp."

Rssh with SUID chroot allows attackers to gain root accesses and become
root on the system.

DETAILS

Vulnerable Systems:
* rssh version 2.2.2 and prior

Immune Systems:
* rssh version 2.3.0
* rssh version 2.3.1

A flaw in the design of rssh_chroot_helper whereby it can be exploited to
chroot to arbitrary directories and thereby gain root access. If rssh is
installed on a system, and non-trusted users on that system have access
which is not protected by rssh (they have full shell access), then they
can use rssh_chroot_helper to chroot to arbitrary locations in the file
system, and thereby gain root access.

Workaround:
By careful configuration of file system mounts, it is possible to avoid
this problem; but doing so requires a fair amount of contortion which will
be difficult to re-engineer after an existing installation has already
been configured. The exploit requires the user to be able to write
executables in the directory they are chrooting to, and create hard links
to SUID binaries within that directory structure, so by preventing either
of these two things, the exploit will be foiled.

System administrators can accomplish this by careful configuration of
filesystem permissions, mount points, and mount options (such as no_exec,
no_suid, etc.). I will not go into details since the far better solution
is to upgrade.

Vendor Status:
The 2.3.0 release of rssh fixes this problem by forcing the chroot helper
program to re-parse the config file instead of allowing the chroot home to
be specified on the command line. Thus users not listed can not use it to
chroot (or will chroot to the default location specified by the sys
admin), and users who are listed will be chrooted to the directories where
they are supposed to go only.


ADDITIONAL INFORMATION

The information has been provided by <mailto:code@xxxxxxxxxxxxxx> Derek
Martin.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Rssh and Scponly Arbitrary Command Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... are designed to allow execution only of certain preset programs. ... command execution on the remote host is possible. ... rssh allows any of five predefined programs to be executed on the remote ...
    (Securiteam)
  • rssh: root privilege escalation flaw
    ... rssh is a restricted shell which allows a system administrator to ... It also allows the system administrator the ability to ... chroot users to a configurable location. ... By careful configuration of file system mounts, ...
    (Bugtraq)
  • [Full-disclosure] rssh: root privilege escalation flaw
    ... rssh is a restricted shell which allows a system administrator to ... It also allows the system administrator the ability to ... chroot users to a configurable location. ... By careful configuration of file system mounts, ...
    (Full-Disclosure)
  • rssh: root privilege escalation flaw
    ... rssh is a restricted shell which allows a system administrator to ... It also allows the system administrator the ability to ... chroot users to a configurable location. ... By careful configuration of file system mounts, ...
    (SSH)
  • [TOOL] Rssh - Restricted Shell for OpenSSH
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... files off of via scp, without providing shell access, you can use rssh to ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)