Attachment 2955 Details for Bug 2691 – Patch to make escape char forward menu optional

[patch] Patch to make escape char forward menu optional

openssh-add-escapechar-menu-cfg.patch (text/plain), 6.53 KB, created by Thomas Jarosch on 2017-03-08 09:16:25 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Thomas Jarosch

Created: 2017-03-08 09:16:25 AEDT

Size: 6.53 KB

patch

obsolete

>From 2b2d4ebfb010ceef565c5356ab280ae0f17a0a26 Mon Sep 17 00:00:00 2001
>From: Thomas Jarosch <thomas.jarosch@intra2net.com>
>Date: Tue, 7 Mar 2017 22:43:13 +0100
>Subject: [PATCH] Add option to disable escape char based forward menu
>
>If you connect to untrusted remote machines and use
>a terminal emulator like screen(1), an attacker might
>inject escape sequences into your session and open
>the forward menu without your knowledge. This opens
>up the possibility to add port forwardings into
>your local network thereby bypassing your firewall.
>
>Fix this security risk by making the forward menu optional.
>For compatibility reasons it's enabled by default for now.
>
>Exploit demonstrated here:
>https://0xicf.wordpress.com/2015/03/13/hijacking-ssh-to-inject-port-forwards/
>---
> clientloop.c | 31 +++++++++++++++++++------------
> readconf.c   | 11 ++++++++++-
> readconf.h   |  1 +
> ssh_config   |  1 +
> ssh_config.5 | 12 ++++++++++++
> 5 files changed, 43 insertions(+), 13 deletions(-)
>
>diff --git a/clientloop.c b/clientloop.c
>index c6a41386..2d1f0581 100644
>--- a/clientloop.c
>+++ b/clientloop.c
>@@ -926,18 +926,20 @@ process_cmdline(void)
> 
> 	if (*s == 'h' || *s == 'H' || *s == '?') {
> 		logit("Commands:");
>-		logit("      -L[bind_address:]port:host:hostport    "
>-		    "Request local forward");
>-		logit("      -R[bind_address:]port:host:hostport    "
>-		    "Request remote forward");
>-		logit("      -D[bind_address:]port                  "
>-		    "Request dynamic forward");
>-		logit("      -KL[bind_address:]port                 "
>-		    "Cancel local forward");
>-		logit("      -KR[bind_address:]port                 "
>-		    "Cancel remote forward");
>-		logit("      -KD[bind_address:]port                 "
>-		    "Cancel dynamic forward");
>+		if (options.escape_char_forward_menu == 1) {
>+		    logit("      -L[bind_address:]port:host:hostport    "
>+			"Request local forward");
>+		    logit("      -R[bind_address:]port:host:hostport    "
>+			"Request remote forward");
>+		    logit("      -D[bind_address:]port                  "
>+			"Request dynamic forward");
>+		    logit("      -KL[bind_address:]port                 "
>+			"Cancel local forward");
>+		    logit("      -KR[bind_address:]port                 "
>+			"Cancel remote forward");
>+		    logit("      -KD[bind_address:]port                 "
>+			"Cancel dynamic forward");
>+		}
> 		if (!options.permit_local_command)
> 			goto out;
> 		logit("      !args                                  "
>@@ -951,6 +953,11 @@ process_cmdline(void)
> 		goto out;
> 	}
> 
>+	if (options.escape_char_forward_menu != 1) {
>+		logit("Forward menu disabled.");
>+		goto out;
>+	}
>+
> 	if (*s == 'K') {
> 		delete = 1;
> 		s++;
>diff --git a/readconf.c b/readconf.c
>index 72b4a637..1bcc773f 100644
>--- a/readconf.c
>+++ b/readconf.c
>@@ -148,7 +148,7 @@ typedef enum {
> 	oChallengeResponseAuthentication, oXAuthLocation,
> 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
> 	oCertificateFile, oAddKeysToAgent, oIdentityAgent,
>-	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
>+	oUser, oEscapeChar, oEscapeCharForwardMenu, oRhostsRSAAuthentication, oProxyCommand,
> 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
> 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
> 	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
>@@ -255,6 +255,7 @@ static struct {
> 	{ "host", oHost },
> 	{ "match", oMatch },
> 	{ "escapechar", oEscapeChar },
>+	{ "escapecharforwardmenu", oEscapeCharForwardMenu },
> 	{ "globalknownhostsfile", oGlobalKnownHostsFile },
> 	{ "userknownhostsfile", oUserKnownHostsFile },
> 	{ "connectionattempts", oConnectionAttempts },
>@@ -1368,6 +1369,10 @@ parse_keytypes:
> 			*intptr = value;
> 		break;
> 
>+	case oEscapeCharForwardMenu:
>+		intptr = &options->escape_char_forward_menu;
>+		goto parse_flag;
>+
> 	case oAddressFamily:
> 		intptr = &options->address_family;
> 		multistate_ptr = multistate_addressfamily;
>@@ -1827,6 +1832,7 @@ initialize_options(Options * options)
> 	options->jump_extra = NULL;
> 	options->user = NULL;
> 	options->escape_char = -1;
>+	options->escape_char_forward_menu = -1;
> 	options->num_system_hostfiles = 0;
> 	options->num_user_hostfiles = 0;
> 	options->local_forwards = NULL;
>@@ -1995,6 +2001,8 @@ fill_default_options(Options * options)
> 	}
> 	if (options->escape_char == -1)
> 		options->escape_char = '~';
>+	if (options->escape_char_forward_menu == -1)
>+		options->escape_char_forward_menu = 1;
> 	if (options->num_system_hostfiles == 0) {
> 		options->system_hostfiles[options->num_system_hostfiles++] =
> 		    xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
>@@ -2551,6 +2559,7 @@ dump_client_config(Options *o, const char *host)
> 	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
> 	dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);
> 	dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys);
>+	dump_cfg_fmtint(oEscapeCharForwardMenu, o->escape_char_forward_menu);
> 
> 	/* Integer options */
> 	dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);
>diff --git a/readconf.h b/readconf.h
>index cef55f71..f85db9ed 100644
>--- a/readconf.h
>+++ b/readconf.h
>@@ -80,6 +80,7 @@ typedef struct {
> 	char   *proxy_command;	/* Proxy command for connecting the host. */
> 	char   *user;		/* User to log in as. */
> 	int     escape_char;	/* Escape character; -2 = none */
>+	int     escape_char_forward_menu;	/* Enable forward menu (~C). */
> 
> 	u_int	num_system_hostfiles;	/* Paths for /etc/ssh/ssh_known_hosts */
> 	char   *system_hostfiles[SSH_MAX_HOSTS_FILES];
>diff --git a/ssh_config b/ssh_config
>index 90fb63f0..7af923fb 100644
>--- a/ssh_config
>+++ b/ssh_config
>@@ -42,6 +42,7 @@
> #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
> #   EscapeChar ~
>+#   EscapeCharForwardMenu yes
> #   Tunnel no
> #   TunnelDevice any:any
> #   PermitLocalCommand no
>diff --git a/ssh_config.5 b/ssh_config.5
>index 591365f3..cef61187 100644
>--- a/ssh_config.5
>+++ b/ssh_config.5
>@@ -634,6 +634,18 @@ followed by a letter, or
> to disable the escape
> character entirely (making the connection transparent for binary
> data).
>+.It Cm EscapeCharForwardMenu
>+When you enter the EscapeChar cmdline (EscapeChar+C, default: ~C),
>+there is a menu which allows you to add or remove port forwardings.
>+This can be a security risk if you ssh into untrusted remote hosts.
>+If you use screen(1) or a terminal emulator that transports the escape
>+sequences back to the ssh client, an attacker might control
>+the menu and create tunnels into your local network.
>+The argument must be
>+.Cm yes
>+(the default)
>+or
>+.Cm no.
> .It Cm ExitOnForwardFailure
> Specifies whether
> .Xr ssh 1
>-- 
>2.11.1
>

Actions: View | Diff

Attachments on bug 2691: 2955