How to inform VT improvement (SSH privileged mode)

Hi,

Recently I have encountered some troubles in doing privileged scans via SSH on some host.
After looking on debug information, I figured out that the host (a Debian 11) was sending some strange characters around the user (the string appeared on debug as “?2004h” and “?2004l”).

With that information, i researched and found that this was an escape sequence for bracketed paste mode, as seen on: https://cirw.in/blog/bracketed-paste.

I tried to set the options at .bashrc an .profile on the host machine, but it was still sending the sequence.

Then, I found at ssh_func.inc script a function called del_esc_seq, that seems to remove escape sequences from the data. I just modified that function to exclude the bracketed sequence and, voilà, it worked.

The line added was:

  data = ereg_replace( pattern:'\x1b\x5b\x3f2004[lh]', replace:'', string:data );

Finally, I want to share this info, wanting that it reaches the Greenbone staff who maintains the NVT database.

1 Like

Hi and welcome to the community!

Thanks for your research and provided information. We will have a look at it.

With privileged scan you mean a normal authenticated scan (authenticated with a normal user) or a (still experimental) elevated scan (authenticated as a normal user and then elevated to another user)?

1 Like

I made a double-check, and the line was wrong. The correct one (surprisingly) is:

  data = ereg_replace( pattern:'\x1b\x5b\x3f[0-9]*[lh]', replace:'', string:data );
1 Like

Hi, ckuerste.
And thank you for the greetings.

I’m talking about elevated scan, specifically. But it may interfere with normal authenticated scan, as the escaped sequence appears on every SSH communication.

Example (on a Debian 11 container):

---------------------------------------------------------
SSH DEBUG ("Elevate Privileges" feature enabled):
IP:   127.0.0.1
PTY:  1
CMD:  /bin/sh -c 'LANG=C; LC_ALL=C; echo "login test"'

RES (before clean up):
--- added separator start ---

?2004hroot@c575ae0273af:~# ?2004llogin test
?2004hroot@c575ae0273af:~#
--- added separator end   ---

RES (after clean up):
--- added separator start ---

?2004hroot@c575ae0273af:~# ?2004llogin test
?2004hroot@c575ae0273af:~#
--- added separator end   ---
---------------------------------------------------------

And with the patch:

lib  nasl:MESSAGE:2022-06-07 16h59.31 utc:165586: 
---------------------------------------------------------
SSH DEBUG ("Elevate Privileges" feature enabled):
IP:   127.0.0.1
PTY:  1
CMD:  /bin/sh -c 'LANG=C; LC_ALL=C; echo "login test"'

RES (before clean up):
--- added separator start ---

root@d9e5a49e2014:~# login test
root@d9e5a49e2014:~#
--- added separator end   ---

RES (after clean up):
--- added separator start ---

root@d9e5a49e2014:~# login test
root@d9e5a49e2014:~#
--- added separator end   ---
---------------------------------------------------------
lib  nasl:MESSAGE:2022-06-07 16h59.57 utc:165586: 
---------------------------------------------------------
SSH DEBUG ("Elevate Privileges" feature enabled):
IP:   127.0.0.1
PTY:  0
CMD:  unset PROMPT_COMMAND > /dev/null 2>&1; export PS1="##greenbone-defined-shell-prompt##"; /bin/sh -c 'LANG=C; LC_ALL=C; whoami'

RES (before clean up):
--- added separator start ---
root
##greenbone-defined-shell-prompt##
--- added separator end   ---

RES (after clean up):
--- added separator start ---
root
--- added separator end   ---
---------------------------------------------------------
1 Like

Just for your information:
I’ve created an internal ticket so this doesn’t get lost. It might take some time until someone can have a closer look at it but we will inform you again, once it was tackled.

Regards,
Chris

2 Likes