Interesting OpenSSH & SELinux Flaw

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: CV Update and Possible Work for IBM
< SCP Transfer Resuming With Rsync | Vulnerability Life Cycle >

Friday, July 18. 2008

Interesting OpenSSH & SELinux Flaw

Some older versions of SELinux and OpenSSH compiled to support it allow you to log in with an arbitrarily chosen SELinux role. You'll need a valid account, and some fairly undefined conditions, but the attack is:

ssh --l<username>:/<chosen role> <host>

Haven't seen a (potential) stuff up like that since the MIT Kerberos telnet daemon flaw (which was significantly worse). I'd like to think that people who've gone to the effort of setting up SELinux also patch regularly. Source, milw0rm.

I am interested in this because it is dreadfully simple, has some weird implications for how SSH and SELinux interact, and there is scant information about this. Maybe a few more eyes can uncover something.

Disclaimer: I haven't tested this. The author only tested it on a limited subset and it didn't work on up-to-date distros.

Update: Explained my motivations and authority (or lack there of) of the exploit thanks to foobar's comments.

Posted by Dominic White in Security at 06:55 | Comments (4) | Trackbacks (0)

Last modified on 2008-07-21 08:27

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

You seem to misunderstand how SELinux works. SELinux is not handled by ssh but by the kernel so it doesn't matter what you request to ssh as long as the kernel denies it.

#1 foobar on 2008-07-19 16:22 (Reply)

I don't misunderstand. I am merely commenting on a published exploit. However, this is still possible. Think of SSH like a web page, and SELinux like the database in a SQL injection. SSH could just be a conduit for the input validation problem in SELinux.

#2 Dominic White (Homepage) on 2008-07-19 23:08 (Reply)

i guess you did not even try this "exploit"?

#3 foobar on 2008-07-20 13:46 (Reply)

Nope. I'm assuming the exploit author did, but I don't think it is serious enough for me to. I just found it piquing my interest.

#4 Dominic White (Homepage) on 2008-07-20 21:26 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry