Jochen Bern
2023-Jul-05 08:52 UTC
Subsystem sftp invoked even though forced command created
On 05.07.23 02:50, Damien Miller wrote:> Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-serverHow would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ? (As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest" on the server while WinSCP has a "hacked" session open. If the sftp-server process turns out to be a child of the script, bingo. If not, the script could still be the culprit, but then we'd know that it must "exec" the sftp-server or somesuch, rather than calling it "normally" as a subprocess.) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230705/f437f348/attachment.p7s>
MCMANUS, MICHAEL P
2023-Jul-05 16:01 UTC
Subsystem sftp invoked even though forced command created
It appears the forced command either does not run or runs to completion and exits immediately, as there is no process named "receive.ksh" in the process tree. The sftp-server process is an immediate child of the privilege-separation sshd process: root 1157 0.0 0.1 94556 5804 ? Ss Jun07 0:00 /usr/sbin/sshd -D root 3933778 0.0 0.2 155624 9732 ? Ss 10:34 0:00 \_ sshd: mm1072 [priv] mm1072 3933794 0.0 0.1 155624 5564 ? S 10:34 0:00 | \_ sshd: mm1072 at pts/0 mm1072 3933795 0.0 0.1 25428 5252 pts/0 Ss 10:34 0:00 | \_ -bash mm1072 3934980 0.0 0.1 59200 4636 pts/0 R+ 10:57 0:00 | \_ ps auwwwx --forest root 3934958 0.1 0.2 155628 10568 ? Ss 10:56 0:00 \_ sshd: m61586 [priv] m61586 3934972 0.0 0.1 155628 5576 ? S 10:56 0:00 \_ sshd: m61586 at notty m61586 3934973 0.0 0.1 47280 5228 ? Ss 10:56 0:00 \_ /usr/libexec/openssh/sftp-server Mike McManus Principal ? Technology Security GTO Security Governance Team - Unix P: He/Him/His AT&T Services, Inc. 20205 North Creek Pkwy, Bothell, WA 98011 michael.mcmanus at att.com -----Original Message----- From: openssh-unix-dev <openssh-unix-dev-bounces+mm1072=att.com at mindrot.org> On Behalf Of Jochen Bern Sent: Wednesday, July 5, 2023 1:52 AM To: openssh-unix-dev at mindrot.org Subject: Re: Subsystem sftp invoked even though forced command created On 05.07.23 02:50, Damien Miller wrote:> Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-serverHow would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ? (As a quick preliminary check, I'd suggest doing a "ps auwwwx --forest" on the server while WinSCP has a "hacked" session open. If the sftp-server process turns out to be a child of the script, bingo. If not, the script could still be the culprit, but then we'd know that it must "exec" the sftp-server or somesuch, rather than calling it "normally" as a subprocess.) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Possibly Parallel Threads
- Subsystem sftp invoked even though forced command created
- Subsystem sftp invoked even though forced command created
- Subsystem sftp invoked even though forced command created
- Subsystem sftp invoked even though forced command created
- Subsystem sftp invoked even though forced command created