[Security] Elevation of privilege over loopback #680
Comments
|
Mitigation: |
|
That mitigation is absurd. It's quite normal to have both ssh and sshd on a single system. Pretty much every 'nix system I've ever set up works that way. Windows needs to catch up to the 80s. The problem is in how elevation works. You should be elevating per-command not for the entire shell. |
|
Couldn't this be avoided by ensuring that the keys used for the client are incompatible with the keys used for the server? |
|
Please don't focus on the loopback aspect of this. The problem is not the fact that users can loopback. The problem is if the user connects to an elevated session. Period. Full Stop. Any attempt to address this by preventing loopback will break things that should work, and would not substantially mitigate the problem (the attacker would just need to connect out and then back in). Outside of Windows, a user connecting via SSH is not be connected to an elevated session even if they have sudoer/administrator rights. They need to elevate individual commands (including, perhaps, launching an elevated shell) after they're connected, using |
|
The correct solution requires support of |
and others
Please answer the following
"OpenSSH for Windows" version
0.0.12.0
OS details
All
What is failing
Elevation of privilege in the following setting:
Malware running within an admin non-evelated session and create a ssh remote session over loopback (or to local IP) and can access an elevated remote ssh session on the same box.
Expected output
SSH remote sessions created with SSO over loopback should have no more privileges than client process.
Actual output
SSh remote sessions are elevated.
The text was updated successfully, but these errors were encountered: