[Security] Elevation of privilege over loopback

[manojampalam]

Please answer the following

"OpenSSH for Windows" version
0.0.12.0

OS details
All

What is failing
Elevation of privilege in the following setting:

• SSO setup for admin user with both client and server on the same box.
• User private key registered in ssh-agent and user's public key added as authorized for key-based auth

Malware running within an admin non-evelated session and create a ssh remote session over loopback (or to local IP) and can access an elevated remote ssh session on the same box.

Expected output
SSH remote sessions created with SSO over loopback should have no more privileges than client process.

Actual output
SSh remote sessions are elevated.

[manojampalam]

Mitigation:
Above setup (client and server on the same box) is not of practical use. Avoid such setup.
Write tools that can identify and warn of such configuration vulnerabilities.

[keiyakins]

That mitigation is absurd. It's quite normal to have both ssh and sshd on a single system. Pretty much every 'nix system I've ever set up works that way. Windows needs to catch up to the 80s.

The problem is in how elevation works. You should be elevating per-command not for the entire shell.

[davidvmckay]

Couldn't this be avoided by ensuring that the keys used for the client are incompatible with the keys used for the server?

[Jaykul]

Please don't focus on the loopback aspect of this. The problem is not the fact that users can loopback. The problem is if the user connects to an elevated session. Period. Full Stop.

Any attempt to address this by preventing loopback will break things that should work, and would not substantially mitigate the problem (the attacker would just need to connect out and then back in).

Outside of Windows, a user connecting via SSH is not be connected to an elevated session even if they have sudoer/administrator rights. They need to elevate individual commands (including, perhaps, launching an elevated shell) after they're connected, using sudo and their password...

[maertendMSFT]

The correct solution requires support of sudo in Windows.