Debian SE Linux and ssh-keysign-pwn

I just tested out the ssh-keysign-pwn exploit [1] on Debian kernel 6.12.74+deb13+1-amd64 which was released before these exploits.

When sshkeysign_pwn is run as user_t the following is logged in the audit log and it fails to exploit anything:

type=SYSCALL msg=audit(1778831599.951:22353257): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=c a2=0 a3=1b8020 items=0 ppid=5632 pid=6654 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="sshkeysign_pwn" exe="/home/test/a/ssh-keysign-pwn/sshkeysign_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1778831599.951:22353257): proctitle="./sshkeysign_pwn"
type=AVC msg=audit(1778831599.951:22353258): avc:  denied  { ptrace } for  pid=6654 comm="sshkeysign_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0

When it is run as unconfined_t the contents of the /etc/ssh/ssh_host_ecdsa_key file are correctly displayed on standard out in about 10ms, the file in question is only readable by root and a non-root user can use this exploit to read it.

It wouldn’t be uncommon to have a system configured to allow users to trace their own processes. The following policy addition grants access for the user to trace their own processes:

allow user_t self:process ptrace;

With that in place the sshkeysign_pwn exploit still doesn’t work and there are logs like the following:

type=AVC msg=audit(1778833455.726:57355191): avc:  denied  { read } for  pid=6941 comm="ssh-keysign" name="ssh_host_rsa_key" dev="vda" ino=15492 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:sshd_key_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1778833455.726:57355191): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=55eadec43061 a2=0 a3=0 items=0 ppid=6933 pid=6941 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="ssh-keysign" exe="/usr/lib/openssh/ssh-keysign" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="test" UID="test" GID="test" EUID="root" SUID="root" FSUID="root" EGID="test" SGID="test" FSGID="test"

So if you could find some secret data in a file that’s only restricted by Unix permissions and user_t is granted ptrace access then a variant of that exploit could work.

When user_t is allowed ptrace access the chage_pwn exploit fails with the following log entries, so any binary that runs in a different domain can’t be used in that situation.

type=AVC msg=audit(1778833908.020:57434896): avc:  denied  { ptrace } for  pid=7037 comm="chage_pwn" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1778833908.020:57434896): arch=c000003e syscall=438 success=no exit=-1 a0=3 a1=5 a2=0 a3=1b7e00000000 items=0 ppid=5632 pid=7037 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=144 comm="chage_pwn" exe="/home/test/a/ssh-keysign-pwn/chage_pwn" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=pidfd_getfd AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"

Conclusion

In a “strict” configuration with users having the user_t domain a Debian system is not vulnerable to these exploits unless there is some configuration error or some unusual configuration choices. Users with the unconfined_t domain can successfully run the exploits.

• [1] https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn