Unquoted Service Path Disclosure - OpenSSH Portable versions 9.1.0.0v - 9.4.0.0v
Summary
OpenSSH Portable versions 9.1.0.0v - 9.4.0.0v introduce an unquoted service path vulnerability during installation. These services are assigned permissions allowing for local privilege escalation, following the normal exploitation path for unquoted service path vulnerabilities.
No CVE or other public identifier has been assigned to this issue, nor is the issue able to be resolved through a normal patching process. Servers will need to be reviewed using the following script which does a specific check for unquoted service paths in SSH services:
wmic service get name,displayname,pathname,startmode |findstr /i "ssh"|findstr /i /v "c:\windows\\" |findstr /i /v '\"'
Introduction
Direct support for OpenSSH in Windows has been a long time coming, and while finally here, has been quite a journey. One part of this journey has been the https://github.com/PowerShell/openssh-portable repository which allowed server administrators to install a beta release of OpenSSH onto their Windows servers and workstations prior to full built-in support from Microsoft.
A cursory search for "openssh install windows" yields results such as:
All of which reference the https://github.com/PowerShell/Win32-OpenSSH repository as a beta, manual installation method, support for older Windows installs, or way to get the latest OpenSSH version.
This repository acts as release management and document for the https://github.com/PowerShell/openssh-portable repository where active development of the OpenSSH port into PowerShell takes place. Within openssh-portable, the file "install-sshd.ps1" (https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/openssh/install-sshd.ps1) is maintained and ported into release versions with guides indicating that it should be run as part of the install process.
The same installation guides provide instructions similar to "Extract contents of the latest build to C:\Program Files\OpenSSH". Since the quotes around the service installation path were removed (https://github.com/PowerShell/openssh-portable/commit/043a20b8080adc62be28d0d3d61a88e9e9a16425) the recommendation to install OpenSSH into a path with a space character creates the classic scenario for an unquoted service path vulnerability. Complicating the matter, the script will happily install where-ever it is placed on the file system, drastically increasing the chances of a scenario being exploitable.
Unquoted service path vulnerabilities abuse the way Windows searches for files when there is ambiguity in the path. In this context, ambiguity refers to a path which is not wrapped in quotes and contains a space character, such as, C:/Program Files/OpenSSH/New Folder/sshd.exe. When this path is placed as the path to an executable without quotes, Windows will look for the following files (in order):
If either C:/Program.exe or C:/Program Files/OpenSSH/New.exe can be written to by a low privileged user, then this executable will be run instead of sshd.exe.
Exploitation Conditions:
Following the relevant steps of the install guide mentioned at https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH#install-win32-openssh-test-release (steps 4 & 8) leads us to the following:
This creates an unexploitable condition for a low privileged user on a default Windows install where a malicious binary would need to be dropped onto the system as "C:/Program.exe". While users can by default create directories under the system root, they can't create files, preventing exploitation in this context. However, the install script is flexible and allows execution from any directory which creates scenarios for a forgotten temporary install to undermine the security of the host:
Regardless of install location, the SSH services are set with the following privileges in the install script:
领英推荐
Remediation:
Since there is no CVE assigned to this, nor a patch which can be applied to automatically resolve the issue, a review of any potentially affected hosts will be required to identify and resolve the issue. This can be done with a command like:
wmic service get name,displayname,pathname,startmode |findstr /i "ssh"|findstr /i /v "c:\windows\\" |findstr /i /v '\"'
Then any identified instances resolved by updating the associated registry key or uninstalling then reinstalling using the 9.5.0.0v script at https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/openssh/install-sshd.ps1
Disclosure timeline:
7 Dec 2023 - Issue encountered during a host review, traced to root cause and disclosure process initiated with client.
7 Dec 2023 - Disclosure to the Microsoft Security Response Center (MSRC).
14 Dec 2023 - MSRC confirms the behaviour and changes status to develop.
14 Dec 2023 - Matt D contacted the MSRC offering more information if required.
19 Dec 2023 - v9.5.0.0 released with the security patch applied https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
9 Jan 2024 - Matt D contacted the MSRC
26 Jan 2024 - Matt D contacted the MSRC
4 Mar 2024 - Matt D contacted the MSRC requesting disclosure noting the lack of activity and fix having been previously applied.
10 Mar 2024 - Matt D notified the MSRC of the planned disclosure on March 25th.
20 Mar 2024 - Matt D re-confirmed the planned disclosure.
25 Mar 2024 - Issue disclosed publicly.
No contact has been received from the MSRC since accepting the issue on the 14th December. Despite the fix being applied the report has remained at the "develop" status.
Credit to Matthew Dekker for identifying this issue.