ssh -R fix

2024-06-25 16:28:37 +00:00 · 2023-08-15 10:08:24 +01:00 · 2023-08-15 10:08:24 +01:00 · 1baf8f7744
commit 1baf8f7744
parent 013ce483a8
8 changed files with 46 additions and 23 deletions
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 0.4.9p1 - 2023-09
+    * ssh -R fix in serverloop.c
    * a2enmod for php8.2 (thanks matthew)

 0.4.9a1 - 2023-08-13
--- a/1
+++ b/1
@ -65,6 +65,7 @@ FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/applications/burpsuite.d
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/applications/thc-tips-and-tricks.desktop"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/icons/metasploit.svg"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/icons/thc-logo.jpg"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root-amd64/usr/bin/xmap"

 FILES_MASTER += "segfault-$(VER)/master/Dockerfile"
 FILES_MASTER += "segfault-$(VER)/master/Makefile"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -628,6 +628,7 @@ services:
      - SF_DIRECT
      - SF_DEBUG
      - SF_BACKING_FS
+      # - SF_DEBUG_SSHD=1  # FIXME-2022 sshd debug
    volumes:
      - "${SF_BASEDIR:-.}/config:/config/host"
      - "${SF_BASEDIR:-.}/data/share:/sf/share:ro"
@ -639,7 +640,8 @@ services:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "/var/lib/lxcfs:/var/lib/lxcfs:ro"
      - "${SF_SHMDIR:-/dev/shm/sf}/run/redis/sock:/redis-sock"
-      # - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-2022
+    # - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-2022
+      # - /research/segfault/host:/host:ro # FIXME-2022 sshd debug

  nginx:
    image: nginx
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@ -663,6 +663,10 @@ RUN /pkg-install.sh WEB apt-get install -y --no-install-recommends \
 		libnginx-mod-stream-js \
 		njs
 RUN /pkg-install.sh DEV apt-get install -y --no-install-recommends \
+		gengetopt \
+		libgmp3-dev \
+		libjson-c-dev \
+		libunistring-dev \
 		ninja-build \
 		repo
 # Android build tools:
@ -749,7 +753,8 @@ RUN /pkg-install.sh GUI apt-get install -y --no-install-recommends \
 RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
 		php8.2-fpm \
 		php8.2-xml
-RUN /pkg-install.sh HACK pipx install pwncat-cs
+RUN /pkg-install.sh HACK pipx install pwncat-cs \
+	&& /pkg-install.sh HACK ghbin praetorian-inc/noseyparker         'linux-'                         noseyparker
 RUN sed 's/deb-src.*//' -i /etc/apt/sources.list \
 	&& apt-get autoremove -y \
 	&& apt-get update
@ -759,6 +764,9 @@ RUN sed 's/deb-src.*//' -i /etc/apt/sources.list \

 # Do fs-root last (on vmbox it messes with permissions on directories and setup.sh fixes it)
 COPY setup.sh /fs-root/ /
+# Some tools are pre-compiled on existing segfaults and supplied as binary
+# (Mostly tools which are a bitch to build during 'docker build')
+COPY /fs-root-amd64/ /
 RUN		/setup.sh \
 	&& rm -f /setup.sh /pkg-install.sh

--- a/host/Makefile
+++ b/host/Makefile
@ -7,6 +7,7 @@ albuild:
 		docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
 		&& docker commit alpine-gcc alpine-gcc; }"

+# See mk_sshd.sh for manual debugging
 fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh
 	docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh

--- a/host/fs-root/bin/docker_sshd.sh
+++ b/host/fs-root/bin/docker_sshd.sh
@ -250,6 +250,7 @@ vboxfix /bin/segfaultsh
 # Allow segfaultsh access to /sf/bin if mounted from extern (during debugging)
 vboxfix /sf/bin

+[[ -n $SF_DEBUG_SSHD ]] && sleep infinity
 # This will execute 'segfaultsh' on root-login (uid=1000)
 exec 0<&- # Close STDIN
 exec /usr/sbin/sshd -u0 -D
--- a/host/mk_sshd.sh
+++ b/host/mk_sshd.sh
@ -3,6 +3,11 @@
 # Executed inside alpine-gcc context to build patched sshd
 # diff -x '!*.[ch]' -u -r openssh-9.2p1-orig openssh-9.2p1-sf | grep -v ^Only

+# Manual debugging:
+# cd /research/segfault/host
+# docker run --rm -v$(pwd):/host --net=host -it alpine-gcc bash -il
+# export PS1='ssh-build:\w\$ '
+
 DSTDIR="/src/fs-root/usr/sbin"
 DSTBIN="${DSTDIR}/sshd"
 set -e
--- a/host/sf-sshd.patch
+++ b/host/sf-sshd.patch
@ -1,6 +1,6 @@
-diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
--- openssh-9.2p1-orig/channels.c	2023-02-02 12:21:54.000000000 +0000
-+++ openssh-9.2p1-sf/channels.c	2023-08-07 11:02:57.954485279 +0000
+diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
+--- openssh-9.2p1-orig/channels.c	2023-02-02 12:21:54
+++ openssh-9.2p1-sf/channels.c	2023-08-15 06:13:05
@@ -3639,7 +3639,7 @@
 	ssh->chanctxt->IPv4or6 = af;
 }
@ -18,9 +18,9 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.
 			    strcmp(listen_addr, "0.0.0.0") != 0 &&
 			    strcmp(listen_addr, "*") != 0) {
 				ssh_packet_send_debug(ssh,
-diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
--- openssh-9.2p1-orig/serverloop.c	2023-02-02 12:21:54.000000000 +0000
-+++ openssh-9.2p1-sf/serverloop.c	2023-08-07 17:38:57.711615443 +0000
+diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
+--- openssh-9.2p1-orig/serverloop.c	2023-02-02 12:21:54
+++ openssh-9.2p1-sf/serverloop.c	2023-08-15 06:18:17
@@ -102,6 +102,12 @@
 /* requested tunnel forwarding interface(s), shared with session.c */
 char *tun_fwd_ifnames = NULL;
@ -34,15 +34,18 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverl
 /* returns 1 if bind to specified port by specified user is permitted */
 static int
 bind_permitted(int port, uid_t uid)
-@@ -391,6 +397,8 @@
+@@ -391,8 +397,10 @@
 			/* Clean up sessions, utmp, etc. */
 			cleanup_exit(255);
 		}
+-
+ 		channel_after_poll(ssh, pfd, npfd_active);
 +		if (sf_sigusr1_received != 0)
 +			sf_sshd2ns();
- 
- 		channel_after_poll(ssh, pfd, npfd_active);
+
 		if (conn_in_ready &&
+ 		    process_input(ssh, connection_in) < 0)
+ 			break;
@@ -637,12 +645,14 @@
 
 	if (strcmp(ctype, "session") == 0) {
@ -87,10 +90,10 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverl
 		}
 		if ((resp = sshbuf_new()) == NULL)
 			fatal_f("sshbuf_new");
-diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
--- openssh-9.2p1-orig/sshd.c	2023-02-02 12:21:54.000000000 +0000
-+++ openssh-9.2p1-sf/sshd.c	2023-08-07 17:38:29.479621863 +0000
-@@ -536,6 +536,69 @@
+diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
+--- openssh-9.2p1-orig/sshd.c	2023-02-02 12:21:54
+++ openssh-9.2p1-sf/sshd.c	2023-08-15 06:13:05
+@@ -536,8 +536,71 @@
 		return 0;
 	}
 }
@ -100,7 +103,7 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
 +#ifndef SECBIT_KEEP_CAPS
 +#define SECBIT_KEEP_CAPS (1<<4)
 +#endif
-+
+ 
 +int sf_done;
 +int sf_by_signal;
 +int sf_sigusr1_received;
@ -108,7 +111,7 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
 +size_t sf_ports_n;
 +static char sf_nsnet_name[128];
 +static struct ssh *sf_ssh;
-+static void
+ static void
 +cb_sigusr1(int sig)
 +{
 +	debug("SIGUSR1 RECEIVED");
@ -157,10 +160,12 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
 +
 +	sf_done = 1;
 +}
- 
- static void
+
+static void
 privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
-@@ -576,9 +639,35 @@
+ {
+ #ifdef DISABLE_FD_PASSING
+@@ -576,8 +639,34 @@
 
 	reseed_prngs();
 
@ -169,7 +174,7 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
 +
 	/* Drop privileges */
 	do_setusercontext(authctxt->pw);
- 
+
 +	// Set the effective CAPS to remove SECUREBITS
 +	cap_t caps = cap_get_proc();
 +	const cap_value_t cl[] = {CAP_SETPCAP};
@ -192,7 +197,6 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
 +	snprintf(sf_nsnet_name, sizeof sf_nsnet_name, "/dev/shm/ns-net-%d", getpid());
 +	sf_ssh = ssh;
 +	signal(SIGUSR1, cb_sigusr1);
-+
+ 
  skip:
 	/* It is safe now to apply the key state */
- 	monitor_apply_keystate(ssh, pmonitor);