chroot escape in Win32 sftp-server

[jhudsoncedaron]

trafficstars

Prerequisites

• [X] Write a descriptive title.
• [X] Make sure you are able to repro it on the latest version
• [X] Search the existing issues.

Steps to reproduce

1. Create test user account

2. Turn on Developer Mode

3. Load into sshd_config:

Match User test
       ForceCommand internal-sftp
       ChrootDirectory %h

(In fact any writable directory will do, or even a writable subdirectory, but with different steps to reproduce)

4. Log in with sftp

5. Run the following commands

sftp>ln -s .. parent
sftp>ls ..

Expected behavior

shows listing of c:\users\test

Actual behavior

shows listing of c:\users

Error details

No error message generated

Environment data

Not applicable; powershell itself is not in the reproduction steps

Version

OpenSSH_for_Windows_9.8p1 Win32-OpenSSH-GitHub, LibreSSL 3.9.2

Additional Info

MSRC Case 91638 reports: Not a vulnerability

This is still a bug. The behavior of .. bouncing off the root is well-known and stuff depends on this working.

In order to test this on unix systems, currently ChrootDirectory %h on unix systems currently requires the home directory to be owned by root and not writable by anybody else, so this needs to be tested with a writable subdirectory:

# chown root ~test
# chown chmod 755 ~test
# mkdir ~test/sub
# chown test ~test/sub
# sftp loalhost
sftp>ln -s ../.. sub/grandparent
sftp>ls sub/grandparent
(lists /home/test but on Windows lists C:\Users)

Additional test cases (to avoid breaking something else)

sftp>ln -s root /
sftp>ls root
(should list C:\Users\test and does)

sftp>mkdir aaa
sftp>ln -s ../Documents aaa/docs
sftp>ls aaa/docs
(should list C:\Users\test\Documents and does)