From 36d6ba7d073acf84def76dfcd7600a82cd2e9ce6 Mon Sep 17 00:00:00 2001 From: Christoph Anton Mitterer Date: Wed, 30 Nov 2022 04:29:53 +0100 Subject: [PATCH] ssh_filter_btrbk.sh: disallow newlines in the SSH command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This disallows newline (that is: LF characters) in the SSH command, which could have been exploited for arbitrary code execution, since commit 77a39282de6fdc98cad1270c6b5b6105629d5e5a. Example: # export SSH_ORIGINAL_COMMAND=$'readlink /dev/stdout\ncat /etc/shadow' # ssh_filter_btrbk.sh Since `readlink` is a generally allowed command, this works with any of ssh_filter_btrbk.sh’s options. But most likely, other commands that are “added” via `allow_cmd()` can be used, too. Signed-off-by: Christoph Anton Mitterer # Please enter the commit message for your changes. Lines starting # with '#' will be kept; you may remove them yourself if you want to. # An empty message aborts the commit. # # Date: Wed Nov 30 04:29:53 2022 +0100 # # On branch fix-remote-code-execution # Your branch and 'origin/fix-remote-code-execution' have diverged, # and have 1 and 1 different commits each, respectively. # (use "git pull" to merge the remote branch into yours) # # Changes to be committed: # modified: ssh_filter_btrbk.sh # # Untracked files: # ORIG # --- ssh_filter_btrbk.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssh_filter_btrbk.sh b/ssh_filter_btrbk.sh index 5c57409..d4ea193 100755 --- a/ssh_filter_btrbk.sh +++ b/ssh_filter_btrbk.sh @@ -183,6 +183,8 @@ restrict_path_list=${restrict_path_list#\|} case "$SSH_ORIGINAL_COMMAND" in *\.\./*) reject_and_die 'directory traversal' ;; + *' +'*) reject_and_die 'unsafe character LF' ;; *\$*) reject_and_die 'unsafe character "$"' ;; *\&*) reject_and_die 'unsafe character "&"' ;; *\(*) reject_and_die 'unsafe character "("' ;;