delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2016/02/09/01:43:31

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:reply-to:from:to:subject:date:message-id
:mime-version:content-type:content-transfer-encoding; q=dns; s=
default; b=c/vSoXzaBN2ATgQnBP58q5fpKzpUvhYCI8iUZZUiUHIq5xK04E2dX
bv5YLuNFgNG7AS+up934yI/yULgq2r7SXii+nmvFsJkHFmWHkmTc4ZLBAQ02gZ13
r8Lv1WxkQW+/ClaubNnwVk2RhhLGucWV6kJaw8EDQhlp029fLZ7GD8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:reply-to:from:to:subject:date:message-id
:mime-version:content-type:content-transfer-encoding; s=default;
bh=t1mTWVknnlKH319WHmBO8i+G8cc=; b=MgA2OkppVniR60oWWka2FDz1y45s
ZdJzKuc3yN0+UJRKahoBuLqJQijtrqVb/+l3W9HCuDudWufgBqNhoVC9pmKEjEyt
CQTlWi4WII0qrwpYCfwh90vmSMXfsi3KFgkzf23qSVhjDTW/zZ4rN4rYQOQSL9X9
giphMHFj4yHXBvA=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=3.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 spammy=H*R:D*cygwin.com, win7, Win7, Hx-languages-length:1371
X-HELO: resqmta-po-12v.sys.comcast.net
Reply-To: <cygwin AT cygwin DOT com>
From: "David Willis" <david_willis AT comcast DOT net>
To: <cygwin AT cygwin DOT com>
Subject: Possible Security Hole in SSHD w/ CYGWIN?
Date: Mon, 8 Feb 2016 22:43:11 -0800
Message-ID: <016c01d16305$252c94c0$6f85be40$@comcast.net>
MIME-Version: 1.0 

Hello,

I noticed that when connecting via SSH to a CYGWIN-based SSHD server, if the
user connects to a network share (i.e. they CD to the share UNC path in the
BASH/CYGWIN shell), they get connected as the privileged server user account
created for privilege separation when SSHD is configured w/ ssh-host-config.
In other words, they have the rights of that account, and if that account
happens to be a domain admin (or even a local admin on the box hosting the
share), that user has full admin rights on that share, when in fact they
should have the rights assigned to the user account they SSH'd in with.

To reproduce, connect via SSH (from either a Linux or CYGWIN/Windows client)
to a CYGWIN-based SSHD server using a normal privileged user account (an
account preferably that is not an admin either on the client or server
machine). Once connected to the Windows SSHD server, CD to a UNC path of a
network share. Once CD'd to that path, check Computer Management on that
server, and go to Shares->Open Sessions, and you will see that the user
connected is the privileged SSHD server account (and it will obviously show
as being connected from the machine you are SSH'd into).

Anyone else ever notice this before?

Running OpenSSH v7 BTW, SSH client is Win7, SSH server Win7, file share
server Win2008R2


Thanks,


David


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019