ssh-keygen
Code execution/Privilege escalation
The binary ssh-keygen
can be made to load custom libraries via the -D
switch. This can result in arbitrary code
execution. If ssh-keygen
has SUID set, this can also lead to privilege escalation.
The easiest way to write a library in such a way that its code is executed by ssh-keygen
is to add a library constructor
__attribute__((constructor))
.
Note that ssh-keygen
makes a rudimentary check before loading a library! In particular, it checks for the existence of
a function C_GetFunctionList()
. The function signature does not matter, but it has to be present!
A ready-made codebase for getting code execution is available here.
This codebase also preserves the effective user id. Useful if ssh-keygen
is run with SUID for example.