[erlang-questions] 'ssh' security issue

Jakob Cederlund jakobce@REDACTED
Tue Dec 10 18:20:57 CET 2013


Actually, the sample cli module works quite all right. The problem is that
the default implementation in ssh_cli for the "exec" thing in ssh is
actually to execute it (using erl_scan and erl_eval and stuff). There is an
undocumented option to ssh (actually to the ssh_cli module) that can be
used to customize this. The option {exec, {M, F, []}} takes an exported
function (M:F/1) that is called with the parameters given to the ssh
commands as a string. This function should spawn a process that writes the
desired output on stdout.

So to avoid the strange eval phenomenon, and provide another function that
just echoes the parameters back, you can write a module x:
-module(x).
-export([exec/1]).
exec(A) -> spawn(fun() -> io:format("~p\n", [A]), exit(normal) end).

and specify the function x:exec/1 as a call-back for the exec option:
B=ssh_sample_cli:listen(8323, [{subsystems, []}, {exec, x, exec, ""]).

And then when you do:
> ssh -p 8323 to.the.host 'lists:reverse("test").'

You get back:
"list:reverse(\"test\")."

Hope this helps. (And sorry for the mess…)
/Jakob



2013/12/10 Ingela Andin <ingela.andin@REDACTED>

> Hi!
>
> The CLI example in the SSH application must be seen as a hack. We intend
> to clean it up and
> extend the SSH documentation, when it gets prioritized I can not say. Well
> anyway your CLI
> implementation must take care of SSH exec request as well.  You can also
> look at the ssh_cli.erl  module.
> If I remember correctly there was a bug, before ssh-2.1.7, with regards to
> the exec request  so that  it was not forwarded to CLI process but rather
> always interpreted in the erlang shell environment.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
> 2013/12/7 OvermindDL1 <overminddl1@REDACTED>
>
>> Greetings,
>>
>> I am attempting to just create an SSH shell to connect to a system by
>> users so they can do commands without the web interface, and as such I
>> certainly do not want things like port forwarding or being able to run
>> arbitrary erlang code, however I do not seem to be able to disable
>> running arbitrary erlang code.  An example of the ssh_sample_cli
>> included with erlang:
>> """
>> $ erl
>> Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:8:8]
>> [async-threads:10] [hipe] [kernel-poll:false]
>>
>> Eshell V5.10.3  (abort with ^G)
>> 1> c(ssh_sample_cli).
>> ssh_sample_cli.erl:146: Warning: this expression will fail with a
>> 'badarith' exception
>> {ok,ssh_sample_cli}
>> 2> B=ssh_sample_cli:listen(8323, [{subsystems, []}]).
>> {ok,<0.67.0>}
>> """
>>
>> And from another shell/computer:
>> """
>> $ ssh -p 8321 to.the.host
>> myusername@REDACTED's password:
>> Enter command
>> CLI> help
>> CLI Sample
>> crash                  crash the cli
>> exit                   exit application
>> factors    <int>       prime factors of <int>
>> gcd        <int> <int> greatest common divisor
>> help                   help text
>> host                   print host addr
>> lcm        <int> <int> least common multiplier
>> prime      <int>       check for primality
>> primes     <int>       print all primes up to <int>
>> rho        <int>       prime factors using rho's alg.
>> self                   print my pid
>> user                   print name of user
>>
>> ---> ok
>> CLI> exit
>> ---> done
>> Connection to to.the.host closed.
>> """
>>
>> So far so good (the main program where I have this implemented has a
>> well running shell of its own), but lets try a couple other things:
>> """
>> $ sftp -P 8321 to.the.host
>> myusername@REDACTED's password:
>> subsystem request failed on channel 0
>> Connection closed
>> """
>>
>> Also good, no file transfers can be done since the option subsystem is
>> set to [], but notice:
>> """
>> $ ssh -p 8323 to.the.host 'lists:reverse("!?ti pots I od woh dna ereh
>> gnineppah si tahw woN").'
>> myusername@REDACTED's password:
>> "Now what is happening here and how do I stop it?!"
>> """
>>
>> So... I can still run arbitrary erlang commands, how do I stop this?
>> Unable to find an option to pass in or anything through a quick code
>> perusal to no avail.  Help?
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131210/2fad20df/attachment.htm>


More information about the erlang-questions mailing list