[erlang-questions] 'ssh' security issue

Ingela Andin ingela.andin@REDACTED
Wed Dec 11 09:17:14 CET 2013


2013/12/10 Jakob Cederlund <jakobce@REDACTED>

> Actually, the sample cli module works quite all right.

The problem with it is that it was written a long time ago, before the
today documented API was set.
And until we have had time to look it over and make it part of the
documented examples of the users guide
it must be considered a hack.  Also in the upcoming release of the ssh
application the
internals of ssh has changed quite a bit. And although ssh is still fully
backwards compatible with every documented aspect of the application some
very early never documented aspects may not work anymore.
There also exists some undocumented features that we intend to document in
the future.

Regards Ingela Erlang/OTP team - Ericsson AB

The problem is that the default implementation in ssh_cli for the "exec"
> thing in ssh is actually to execute it (using erl_scan and erl_eval and
> stuff). There is an undocumented option to ssh (actually to the ssh_cli
> module) that can be used to customize this. The option {exec, {M, F, []}}takes an exported function (M:F/1) that is called with the parameters given
> to the ssh commands as a string. This function should spawn a process that
> writes the desired output on stdout.
> So to avoid the strange eval phenomenon, and provide another function that
> just echoes the parameters back, you can write a module x:
> -module(x).
> -export([exec/1]).
> exec(A) -> spawn(fun() -> io:format("~p\n", [A]), exit(normal) end).
> and specify the function x:exec/1 as a call-back for the exec option:
> B=ssh_sample_cli:listen(8323, [{subsystems, []}, {exec, x, exec, ""]).
> And then when you do:
> > ssh -p 8323 to.the.host 'lists:reverse("test").'
> You get back:
> "list:reverse(\"test\")."
> Hope this helps. (And sorry for the mess…)
> /Jakob
> 2013/12/10 Ingela Andin <ingela.andin@REDACTED>
>> Hi!
>> The CLI example in the SSH application must be seen as a hack. We intend
>> to clean it up and
>> extend the SSH documentation, when it gets prioritized I can not say.
>> Well anyway your CLI
>> implementation must take care of SSH exec request as well.  You can also
>> look at the ssh_cli.erl  module.
>> If I remember correctly there was a bug, before ssh-2.1.7, with regards
>> to the exec request  so that  it was not forwarded to CLI process but
>> rather always interpreted in the erlang shell environment.
>> Regards Ingela Erlang/OTP team - Ericsson AB
>> 2013/12/7 OvermindDL1 <overminddl1@REDACTED>
>>> Greetings,
>>> I am attempting to just create an SSH shell to connect to a system by
>>> users so they can do commands without the web interface, and as such I
>>> certainly do not want things like port forwarding or being able to run
>>> arbitrary erlang code, however I do not seem to be able to disable
>>> running arbitrary erlang code.  An example of the ssh_sample_cli
>>> included with erlang:
>>> """
>>> $ erl
>>> Erlang R16B02 (erts-5.10.3) [source] [64-bit] [smp:8:8]
>>> [async-threads:10] [hipe] [kernel-poll:false]
>>> Eshell V5.10.3  (abort with ^G)
>>> 1> c(ssh_sample_cli).
>>> ssh_sample_cli.erl:146: Warning: this expression will fail with a
>>> 'badarith' exception
>>> {ok,ssh_sample_cli}
>>> 2> B=ssh_sample_cli:listen(8323, [{subsystems, []}]).
>>> {ok,<0.67.0>}
>>> """
>>> And from another shell/computer:
>>> """
>>> $ ssh -p 8321 to.the.host
>>> myusername@REDACTED's password:
>>> Enter command
>>> CLI> help
>>> CLI Sample
>>> crash                  crash the cli
>>> exit                   exit application
>>> factors    <int>       prime factors of <int>
>>> gcd        <int> <int> greatest common divisor
>>> help                   help text
>>> host                   print host addr
>>> lcm        <int> <int> least common multiplier
>>> prime      <int>       check for primality
>>> primes     <int>       print all primes up to <int>
>>> rho        <int>       prime factors using rho's alg.
>>> self                   print my pid
>>> user                   print name of user
>>> ---> ok
>>> CLI> exit
>>> ---> done
>>> Connection to to.the.host closed.
>>> """
>>> So far so good (the main program where I have this implemented has a
>>> well running shell of its own), but lets try a couple other things:
>>> """
>>> $ sftp -P 8321 to.the.host
>>> myusername@REDACTED's password:
>>> subsystem request failed on channel 0
>>> Connection closed
>>> """
>>> Also good, no file transfers can be done since the option subsystem is
>>> set to [], but notice:
>>> """
>>> $ ssh -p 8323 to.the.host 'lists:reverse("!?ti pots I od woh dna ereh
>>> gnineppah si tahw woN").'
>>> myusername@REDACTED's password:
>>> "Now what is happening here and how do I stop it?!"
>>> """
>>> So... I can still run arbitrary erlang commands, how do I stop this?
>>> Unable to find an option to pass in or anything through a quick code
>>> perusal to no avail.  Help?
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131211/e85250b6/attachment.htm>

More information about the erlang-questions mailing list