[Secure-testing-team] Bug#873201: openssh-client: command line parsing with -- between option and non-option arguments completely broken

Thorsten Glaser tg at mirbsd.de
Fri Aug 25 14:05:33 UTC 2017 

Package: openssh-client
Version: 1:7.5p1-7
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Debian maintainer,

I was intending to report this upstream, but, contrary to the documentation
     * [9]openssh-unix-dev at mindrot.org This is a public list and is open to posting from non-subscribed
       users.
on https://www.openssh.com/report.html the upstream mailing list is not
open for postings, as I got a rejection message…
> Posting by non-members to openssh-unix-dev at mindrot.org is currently
> disabled, sorry.
… so please forward this upstream, as is a package maintainer’s duty.

Original message follows:

-----cutting here may damage your screen surface-----
From: Thorsten Glaser <t.glaser at tarent.de>
Message-ID: <alpine.DEB.2.20.1708251545580.2732 at tglase.lan.tarent.de>
To: openssh-unix-dev at mindrot.org
Date: Fri, 25 Aug 2017 15:57:47 +0200 (CEST)
Subject: command line parsing with -- between option and non-option arguments completely broken

Hi,

in the process of me fixing CVE-2017-12836 a user noticed a
problem with OpenSSH’s command line parsing.

I’ve verified these on OpenSSH 5.3 (MirBSD) and 7.5p1 (Debian).

So, to begin with, this command _should_ spawn xeyes:

$ ssh -oProxyCommand=xeyes vuxu.org

This command _could_ spawn xeyes on glibc systems, but
probably shouldn’t on POSIX or BSD systems:

$ ssh vuxu.org -oProxyCommand=xeyes

This command properly does not spawn xeyes but tries to
resolve “-oProxyCommand=xeyes” as hostname, correctly failing:

$ ssh -- -oProxyCommand=xeyes

This command *must not* spawn xeyes, but does:

$ ssh -- vuxu.org -oProxyCommand=xeyes

This instead must execute “-oProxyCommand=xeyes” as command
on the remote side.

Interestingly enough, this command works the same and also
mustn’t but also doesn’t:

$ ssh vuxu.org -- -oProxyCommand=xeyes

Now it gets completely weird, this doesn’t spawn xeyes either:

$ ssh -- vuxu.org -- -oProxyCommand=xeyes

This “should” execute “--” as command with “-oProxyCommand=xeyes”
as its first option on the remote site, but judging from the error
| mksh: ProxyCommand=xeyes: unknown option
it instead passes “-oProxyCommand=xeyes” as option to a shell on
the remote side.

I don’t do the security theatre, but this could perhaps be considered
missing command escaping on the remote side (passing what would be a
command as an option to the remote shell) in addition to completely
fucked up option parsing on the local side.

This was first reported by nickserv-auth’d user jn__ on #musl on
Freenode IRC, and leah2 forwarded it to me as current de-facto
maintainer of GNU CVS because I considered adding “--” between
option and nōn-option arguments sufficient for fixing the afore‐
mentioned CVE, judging this effective enough with normal command
line parsing rules (as in getopt(3) on OpenBSD) and given the
.Sx SYNOPSIS
in the ssh manpage.

bye,
//mirabilos

PS: Please keep me in Cc, I’m not subscribed to the list.
-----cutting here may damage your screen surface-----

Thanks!

PS: This affects cvs in wheezy, jessie and stretch but not sid.


-- System Information:
Debian Release: buster/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.11.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.116
ii  dpkg              1.18.24
ii  libc6             2.24-14
ii  libedit2          3.1-20170329-1
ii  libgssapi-krb5-2  1.15.1-2
ii  libselinux1       2.6-3+b2
ii  libssl1.0.2       1.0.2l-2
ii  passwd            1:4.4-4.1
ii  zlib1g            1:1.2.8.dfsg-5

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                  <none>
ii  kwalletcli [ssh-askpass]  3.00-1
pn  libpam-ssh                <none>
pn  monkeysphere              <none>

-- Configuration Files:
/etc/ssh/moduli changed [not included]
/etc/ssh/ssh_config changed [not included]

-- no debconf information

More information about the Secure-testing-team mailing list