Bugzilla – Attachment 2955 Details for
Bug 2691
Add ability to disable escape char forward menu
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to make escape char forward menu optional
openssh-add-escapechar-menu-cfg.patch (text/plain), 6.53 KB, created by
Thomas Jarosch
on 2017-03-08 09:16:25 AEDT
(
hide
)
Description:
Patch to make escape char forward menu optional
Filename:
MIME Type:
Creator:
Thomas Jarosch
Created:
2017-03-08 09:16:25 AEDT
Size:
6.53 KB
patch
obsolete
>From 2b2d4ebfb010ceef565c5356ab280ae0f17a0a26 Mon Sep 17 00:00:00 2001 >From: Thomas Jarosch <thomas.jarosch@intra2net.com> >Date: Tue, 7 Mar 2017 22:43:13 +0100 >Subject: [PATCH] Add option to disable escape char based forward menu > >If you connect to untrusted remote machines and use >a terminal emulator like screen(1), an attacker might >inject escape sequences into your session and open >the forward menu without your knowledge. This opens >up the possibility to add port forwardings into >your local network thereby bypassing your firewall. > >Fix this security risk by making the forward menu optional. >For compatibility reasons it's enabled by default for now. > >Exploit demonstrated here: >https://0xicf.wordpress.com/2015/03/13/hijacking-ssh-to-inject-port-forwards/ >--- > clientloop.c | 31 +++++++++++++++++++------------ > readconf.c | 11 ++++++++++- > readconf.h | 1 + > ssh_config | 1 + > ssh_config.5 | 12 ++++++++++++ > 5 files changed, 43 insertions(+), 13 deletions(-) > >diff --git a/clientloop.c b/clientloop.c >index c6a41386..2d1f0581 100644 >--- a/clientloop.c >+++ b/clientloop.c >@@ -926,18 +926,20 @@ process_cmdline(void) > > if (*s == 'h' || *s == 'H' || *s == '?') { > logit("Commands:"); >- logit(" -L[bind_address:]port:host:hostport " >- "Request local forward"); >- logit(" -R[bind_address:]port:host:hostport " >- "Request remote forward"); >- logit(" -D[bind_address:]port " >- "Request dynamic forward"); >- logit(" -KL[bind_address:]port " >- "Cancel local forward"); >- logit(" -KR[bind_address:]port " >- "Cancel remote forward"); >- logit(" -KD[bind_address:]port " >- "Cancel dynamic forward"); >+ if (options.escape_char_forward_menu == 1) { >+ logit(" -L[bind_address:]port:host:hostport " >+ "Request local forward"); >+ logit(" -R[bind_address:]port:host:hostport " >+ "Request remote forward"); >+ logit(" -D[bind_address:]port " >+ "Request dynamic forward"); >+ logit(" -KL[bind_address:]port " >+ "Cancel local forward"); >+ logit(" -KR[bind_address:]port " >+ "Cancel remote forward"); >+ logit(" -KD[bind_address:]port " >+ "Cancel dynamic forward"); >+ } > if (!options.permit_local_command) > goto out; > logit(" !args " >@@ -951,6 +953,11 @@ process_cmdline(void) > goto out; > } > >+ if (options.escape_char_forward_menu != 1) { >+ logit("Forward menu disabled."); >+ goto out; >+ } >+ > if (*s == 'K') { > delete = 1; > s++; >diff --git a/readconf.c b/readconf.c >index 72b4a637..1bcc773f 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -148,7 +148,7 @@ typedef enum { > oChallengeResponseAuthentication, oXAuthLocation, > oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, > oCertificateFile, oAddKeysToAgent, oIdentityAgent, >- oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, >+ oUser, oEscapeChar, oEscapeCharForwardMenu, oRhostsRSAAuthentication, oProxyCommand, > oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, > oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, > oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, >@@ -255,6 +255,7 @@ static struct { > { "host", oHost }, > { "match", oMatch }, > { "escapechar", oEscapeChar }, >+ { "escapecharforwardmenu", oEscapeCharForwardMenu }, > { "globalknownhostsfile", oGlobalKnownHostsFile }, > { "userknownhostsfile", oUserKnownHostsFile }, > { "connectionattempts", oConnectionAttempts }, >@@ -1368,6 +1369,10 @@ parse_keytypes: > *intptr = value; > break; > >+ case oEscapeCharForwardMenu: >+ intptr = &options->escape_char_forward_menu; >+ goto parse_flag; >+ > case oAddressFamily: > intptr = &options->address_family; > multistate_ptr = multistate_addressfamily; >@@ -1827,6 +1832,7 @@ initialize_options(Options * options) > options->jump_extra = NULL; > options->user = NULL; > options->escape_char = -1; >+ options->escape_char_forward_menu = -1; > options->num_system_hostfiles = 0; > options->num_user_hostfiles = 0; > options->local_forwards = NULL; >@@ -1995,6 +2001,8 @@ fill_default_options(Options * options) > } > if (options->escape_char == -1) > options->escape_char = '~'; >+ if (options->escape_char_forward_menu == -1) >+ options->escape_char_forward_menu = 1; > if (options->num_system_hostfiles == 0) { > options->system_hostfiles[options->num_system_hostfiles++] = > xstrdup(_PATH_SSH_SYSTEM_HOSTFILE); >@@ -2551,6 +2559,7 @@ dump_client_config(Options *o, const char *host) > dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); > dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); > dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys); >+ dump_cfg_fmtint(oEscapeCharForwardMenu, o->escape_char_forward_menu); > > /* Integer options */ > dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); >diff --git a/readconf.h b/readconf.h >index cef55f71..f85db9ed 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -80,6 +80,7 @@ typedef struct { > char *proxy_command; /* Proxy command for connecting the host. */ > char *user; /* User to log in as. */ > int escape_char; /* Escape character; -2 = none */ >+ int escape_char_forward_menu; /* Enable forward menu (~C). */ > > u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */ > char *system_hostfiles[SSH_MAX_HOSTS_FILES]; >diff --git a/ssh_config b/ssh_config >index 90fb63f0..7af923fb 100644 >--- a/ssh_config >+++ b/ssh_config >@@ -42,6 +42,7 @@ > # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc > # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 > # EscapeChar ~ >+# EscapeCharForwardMenu yes > # Tunnel no > # TunnelDevice any:any > # PermitLocalCommand no >diff --git a/ssh_config.5 b/ssh_config.5 >index 591365f3..cef61187 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -634,6 +634,18 @@ followed by a letter, or > to disable the escape > character entirely (making the connection transparent for binary > data). >+.It Cm EscapeCharForwardMenu >+When you enter the EscapeChar cmdline (EscapeChar+C, default: ~C), >+there is a menu which allows you to add or remove port forwardings. >+This can be a security risk if you ssh into untrusted remote hosts. >+If you use screen(1) or a terminal emulator that transports the escape >+sequences back to the ssh client, an attacker might control >+the menu and create tunnels into your local network. >+The argument must be >+.Cm yes >+(the default) >+or >+.Cm no. > .It Cm ExitOnForwardFailure > Specifies whether > .Xr ssh 1 >-- >2.11.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2691
: 2955