< SCP Transfer Resuming With Rsync | Vulnerability Life Cycle >
Jul 18

Interesting OpenSSH & SELinux Flaw

Security 4 Comments »
Security

Some older versions of SELinux and OpenSSH compiled to support it allow you to log in with an arbitrarily chosen SELinux role. You'll need a valid account, and some fairly undefined conditions, but the attack is:

ssh --l<username>:/<chosen role> <host>

Haven't seen a (potential) stuff up like that since the MIT Kerberos telnet daemon flaw (which was significantly worse). I'd like to think that people who've gone to the effort of setting up SELinux also patch regularly. Source, milw0rm.

I am interested in this because it is dreadfully simple, has some weird implications for how SSH and SELinux interact, and there is scant information about this. Maybe a few more eyes can uncover something.

Disclaimer: I haven't tested this. The author only tested it on a limited subset and it didn't work on up-to-date distros.

Update: Explained my motivations and authority (or lack there of) of the exploit thanks to foobar's comments.

Posted by Dominic White

Last modified on 2008-07-21 08:27

0 Trackbacks

Trackback specific URI for this entry
  1. No Trackbacks

4 Comments

Display comments as(Linear | Threaded)
  1. foobar says:
    07/19/2008 04:22:33 PM

    You seem to misunderstand how SELinux works. SELinux is not handled by ssh but by the kernel so it doesn't matter what you request to ssh as long as the kernel denies it.

  2. Dominic White says:
    07/19/2008 11:08:49 PM

    I don't misunderstand. I am merely commenting on a published exploit. However, this is still possible. Think of SSH like a web page, and SELinux like the database in a SQL injection. SSH could just be a conduit for the input validation problem in SELinux.

  3. foobar says:
    07/20/2008 01:46:13 PM

    i guess you did not even try this "exploit"?

  4. Dominic White says:
    07/20/2008 09:26:08 PM

    Nope. I'm assuming the exploit author did, but I don't think it is serious enough for me to. I just found it piquing my interest.

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA