terminal multiplexers bypass remote sudo password #51
Comments
Fuseteam
changed the title
|
Thanks for reporting! I'm slightly irritated because we now walk the process hierarchy and as long sshd (or telnetd) is found in the parent chain it should be denied. I have the feeling it's somehow related to the detaching most multiplexers provide. In that case I could slap the previously used utmp check on it - i hope - to catch those cases. But well possible that we will have to accept that it either has some holes, or some cases where the auth fails incorrectly. Which would mean an option again :D Will investigate next week. In case you're motivated to test some things: it would be interesting to see if |
|
Note to myself: check if possible to find spawning process in case there is no parent found (or left) |
haha yeah but considering it was also bypassed in version 0.7.1 i kinda doubt the utmp will help much i will test screen for sure and i'll paste the output from debug true as soon as i got it x |
utmp wasn't used in default config because of "unknown_pts_as_local" (well, it was used - but a not-found resulted in "assume it will be local". That option was introduced with default=true because else i.e gdm3 failed to auth (at least on Ubuntu). But I have the hope that maybe a detached session (which I assume is the cause here) will get a proper utmp entry. In that case we could use the current approach, and if no remote daemon is found (like it seems in this case/issue) use utmp additionally to verify. Of course that requires that we have a proper utmp entry for that session, if not - get rekt. Which btw is another thing you could check if you want - after you used that bypass method you could run Edit: Also, a small disclaimer: I'm a more or less veteran coder, and avid linux user, but not very familiar with the inner workings in all cases on such deep levels. So please bear with me while I work such stuff out. Thanks for your help! |
|
sure no problem just checked out screen it is being denied xD and here's the one for screen and the output of |
|
Really surprised screen isn't affected. Interesting. But for tmux the "utmp on top" approach would seem to work since there is clearly a remote session for it in utmp, that's nice to know. |
|
yeah i'm surprised by screen as well xD |
|
i did a couple more tests and it appears there's always 2 sessions for tmux/byobu in utmp when I'm ssh'ed in regardless whether I'm attached to the same session on both devices or not |
|
For the records: tmux having seemingly no parent process is explained here: https://superuser.com/a/1472783 |
nice find! based on this piece
bolding mine I suppose this means we're walking the process tree of the server rather of the client perhaps? 🤔 |
|
The issue is: trough this "Quake 3 like re-spawning" I'm right now working on an approach that still walks the process tree, but also checks if stdin of parent process is attached to a remote session in utmp. If this works like intended it would be "throwing a nuke onto cockroaches" and should solve all similar cases. I've opened a local ssh session and ran |
|
cool that sounds like quite a robust approach, hopefully this hammers the hole shut once and for all |
|
Since tmux redirects stdin, stdout and stderr my planned approach isn't working. Current new plan: understand the libprocps api and use it to get the tty of given process - which would work very likely. That's what's used by ps and top to get informations, including the correct tty. But that will take a while because I couldn't find a nice example of how to just get the info for a given pid 😅 |
|
yeah no problem, thanks for the update |
|
Know what, I hate tmux lol. Turn's out, my approach works nicely - but: we are running in the context of the server (in tmux terms), which yields the wrong tty, which again results in a non working check 🤦 Still need to check if this also applies to byobu. But I've found that tmux sets an env var containing the client id, which again can be used with
Of course this could be circumvented by just deleting or modifing that envvar. For deleting I would fallback to denying the request. Modification are still a potential attack vector, but since this would stilll require to gain login at first I don't think it's an issue. You happen to know any other multiplexers I should test? |
|
lol tmux does things quite weirdly, sadly I only know of byobu, tmux and screen, afaict byobu is just a front end for a terminal multiplexer. by default the backend on ubuntuis tmux i now found two more terminal multiplexers we could test: https://fedoramagazine.org/4-cool-terminal-multiplexers/ |
|
Oh that's nice to know, then I should check what backends it supports. |
|
hmm found a list of 7 terminal multiplexers: https://www.linuxlinks.com/terminalmultiplexers/ but I have a feeling the additional two are just forked from tmux |
|
Local tmux (in bash, in terminator, under gnome-shell with gdm3): https://asciinema.org/a/4TYiAyxIAwUHt3AmGHqs5eGhw 😁 Seems this works quite well, but need to clean up and shuffle some stuff around before I will provide a testing release. Guess you can expect a deb sometime next week. |
|
cool 🤩 great work! |
|
Seems the
|
|
Seems
Updated deb at the usual link, https://www.dropbox.com/s/af1ghfgheyp7cfn/libpam-usb_0.7.4_amd64.deb?dl=0 |
|
hmm weird stuff happening here: but if i also open a new byobu window from the remote machine in the same session to get the above i get this: i installed with |
|
I smell a botched |
|
Should be fixed, deb is updated again https://www.dropbox.com/s/af1ghfgheyp7cfn/libpam-usb_0.7.4_amd64.deb?dl=0 btw, we are "network siblings" hehe - same address space XD |
|
oho~ touché
haha how fun xDDD |
|
Yeah, I can see how that happens... That will be easy to fix I guess. |
|
cool xD |
|
Since you seem to know byobu and surrounding stuff quite well, could you test this with Edit: Edit 2: nvm, i dont think either one matters. Deb updated, https://www.dropbox.com/s/af1ghfgheyp7cfn/libpam-usb_0.7.4_amd64.deb?dl=0 |
|
oho~ seems to work |
|
lmao i literally opened the issue right as you commented, nice :D |
|
great timing xDDD |
|
if you still find a way to break it before 29. August 23:59 we should start talking about bug bounties, else it will be released after that datetime. huge thanks for all your testing efforts, i owe you one. If you ever need a hand with one of your issues feel free to tag me. |
|
so far so good, awesome work 👍 if i don't find a wayt to break it by that datetime i'll close the issue too xD happy to help, and thanks will do |
|
I like your silence 🤣 |
|
🤣 🤣 🤣 🤣 🤣 🤣 |
|
heh so far so good |
|
Let's leave it open for now, since the fix is not merged yet. I still need to clean some stuff in the PR up before merging, issue will be autoclosed by merge then. |
The tty only approach had downsides (see #8), its fix had downsides too (see #39), and the name approach had downsides (see #51) too, let's try all together plus some additional magic. This modifies local check to: * check for sshd/telnetd in process chain - for the obvious cases * check for tmux in process chain, if found parse its environment to determine tmux client id to determine session tty for utmp check * if tmux found, but session tty not, check for remote clients attached to tmux * check for DISPLAY, if found use that for utmp check * in case no remote daemon was found, tmux wasn't detected, and DISPLAY is not set - fall back to good ol' ttyname() which should now be safe since we handled all edge cases before Closes #51 * #51: process:c add get_process_tty() * #51: local.c: Re-add utmp code, to be used by parent pid using process.c [WIP] * #51: Add @todo * #51: [WIP] Rework get_process_tty(), check for X session, add more debug logging * #51: [WIP] If tmux detected use it to detect the login tty * #51: local.c use new tmux/display/tty approach in all cases * #51: process.c: remove get_process_tty(), local.c: rename from to session_tty * #51: [Debian] [Packaging] Re-add 'Standards-Version', got lost somehow * #51: local.c: replace 4-spaces with tabs to keep uniform formatting * #51: remove libprocps depency again * #51: local.c: remove current_tty - used only for logging / making the code order nicer * local.c: spaces... * local.c: fix alt-tab-typo and some formatting * #51: Test for open udp port 177 (XDMCP negotiation), if not found allow (when display manager is found) * #51: Remove port check stuff again, XDMCP is a pain to setup for testing and is insecure anyway * #51: local.c: whitelist graphical logins by service tag, remove xdmcp leftovers * #51: Make ttyname() approach default fallback for all cases * #51: local.c: extract tmux magic to tmux.c * #51: local.c/Makefile: make use of tmux.c, adjust to new chain * #51: Iterate all tty methods, add 'tmux var from parent proc', cleanup formatting * #51: local.c: add pusb_get_tty_by_xorg_display(), used to get tty by DISPLAY var (for SDDM sessions) * #51: Fix DISPLAY fallback, add more debug, expect console and pts * #51: Add pusb_ prefix to new functions * #51: Add pusb_ prefix to new functions 2nd edition * #51: Whitelist sddm too * #51: [WIP] [deb} Update news and changelog * #51: Fix incorrect return handling reported in #51 (comment) * #51: Fix derp * actions: make sure no previously build debs are installed again... * #51: Check for remotely connected clients to local tmux sessions * #51: This and that * #51: Fix v6 detection of connected tmux sessions * #51: Cleanup * #51: 'Fix' debug output * #51: Fix warning unitialized for tmux_pid * #51/#64: Replace utmp with utmpx stuff / posix compliance * #51: tmux.c: extend regex to capture full 'attach' argument too * #51: Fix last case of byobu/tmux * #51: Remove version update, will be done in seperate PR * #51: Cleanup
|
Released as v0.8.0 |
|
wooohooo thanks 👍 |
hi me again, thanks for recent update, i just happen to be running version 0.7.1 and version 0.7.3 at the same time, so I can confirm this bug also exists on version 0.7.1
basically the steps to reproduce it are these:
deny remote is set to true and it indeed denies access outside of byobu, it also denies the 'cup of tee' access aswell in the case of 0.7.3(as expected), but inside of byobu or tmux it happily grants access
The text was updated successfully, but these errors were encountered: