[scponly] scponly 4.2 released (IMPORTANT SECURITY FIXES)

wby oblyr joe at sublimation.org
Wed Dec 21 19:49:50 EST 2005

Hi all,

I'm disappointed to report that there are TWO security fixes in the latest version of scponly.  Descriptions and 
solutions are discussed below.  (they are also described in detail at http://sublimation.org/scponly/#relnotes )

Some other features have made it into the release as well, though not nearly as many as I had hoped.  Given the 
nature of the security fixes, I did not want to wait.

To get 4.2, visit http://sublimation.org/scponly

MD5 (scponly-4.2.tgz) = 270dedc527d6fbc68b152b8bb3c8a864

For the programmers on the list, I'd appreciate some scrutiny on the fixes I have implemented for these problems.  
As usual, your collective testing and validation is very valuable to the project.


SECURITY PROBLEM 1, reported by Max Vozeler:

Problem Description:
If ALL the following conditions are true, administrators using scponly-4.1 or older may be at risk of a local 
privilege escalation exploit:                                                                                          
 - the chrooted setuid scponlyc binary is installed                                                                     
 - regular non-scponly users have interactive shell access to the box
 - a user executable dynamically linked setuid binary (such as ping) exists on the same file system mount as the 
user's home directory
 - the operating system supports an LD_PRELOAD style mechanism to overload dynamic library loading

To exploit this vulnerability, a non-root user could:                                                                   
 - log in via an interactive shell                                                                                      
 - create an ad-hoc chroot directory structure in their home directory (with bin, lib, etc directories)                                            
 - create a hardlink to a system setuid program, such as ping (which is setuid), effectively placing a setuid 
binary in their chroot.  (this is why the setuid binary has to be on the same mount point, as hardlinks cannot 
traverse file systems and softlinks cannot traverse outside the chroot)                                                                                               
 - stage a malicious ld preload configuration to overload a call from the setuid (such as getuid()) with one that 
does something malicious                                                                                                                         
- users invoke scponlyc (the setuid chrooting scponly binary), which then chroots into their malicious chroot 
environment, call the setuid program (ping), which then calls the overridden function (getuid), doing whatever it 
is they wrote into their custom library

The new release of scponly-4.2 disallows chrooting to any directory that:                                               
        - is owned by someone other than the superuser (UID 0)                                                          
        - is writeable by group or other                                                                                

This assures that every chroot scponly uses was created/approved by the system administrator and thus is assumed 
to not contain malicious ld.preload.conf files.
SECURITY PROBLEM 2, reported by Pekka Pessi:

Problem Description:
If ANY the following conditions are true, administrators using scponly-4.1 or older may be at risk of a local 
privilege escalation exploit:                                                                                          
 - scp compatibility is enabled
 - rsync compatibility is enabled
To exploit this vulnerability, a remote scponly user could:
 - construct a malicious command line argument to either the rsync or scp..  Athough scponly does check for 
arguments that allow the user to specify a program to run, it does not use getopt() style processing to locate 
these potentially malicious arguments.  As such "scp -vS some_executable file1 file2" would get past the malicious 
argument detection.

The new release of scponly-4.2:
 - uses getopt to process the arguments to scp and rsync.
 - does not support rsync or scp by default

More information about the scponly mailing list