The ^M was a carriage return character. `crontab -l` shows nothing unusual because the ^M causes the later innocent-looking entry to overwrite the actual entry. With the added obfuscation of two other completely innocuous entries ("daily" and "weekly"), it's not easy to spot.
Perhaps something similar could be done with SSH keys? Drop a ^M somewhere in the command and make the rest look innocuous.
Also, base64-encoding the evil command would be more effective, since a typical key is a pile of unreadable base64 anyway, so it would blend in better.
This is a fun technique, but the branding here is a little bombastic: running commands whenever a public key connects is an explicitly supported feature in OpenSSH (and other SSH daemons, like dropbear[1]).
To "exploit" this you'd need to convince someone to use it as their SSH public key, and `command=...` should be a pretty big giveaway; I wouldn't expect hiding the payload in a hex string to confuse or trick anyone except for someone who shouldn't be adding their own SSH keys to servers anyways.
Does not make sense. Why would a user upload a public key with a "command=" option? And, in any case, the command executes with the privileges of the user, so it can do nothing that can't already be done by a normal command invocation.
From my experience, almost nobody fully understands proper public key distribution practices. Usually, it all ends with "Please find my public key attached to this e-mail." - "Imported. You can log in." No fingerprint check via different means of communication (e.g. over phone) etc.
I can imagine a scenario of an attacker being able to intercept and substitute such e-mail with an identical one that just has the attached public key modified to include the backdoor "command=" modification. There may be numerous other scenarios such as substituting a public key in a shared public key storage/database.
Public keys are often treated as something totally harmless. It's assumed that the worst case scenario is that SSH connection will just fail if a public key was tampered with unless an attacker is also able to intercept and proxy actual SSH connection in real time (which is much more complex and much less feasible).
The attack described should be taken very seriously. Entities that have shared public key repositories may need to review their practices and include an automatic check for "command=" in the public keys uploaded. Of course, proper procedures on SSH server end (such as visually inspecting a key before installing it while confirming the fingerprint over a different medium) should already prevent this attack from succeeding, but they likely rely on additional human intervention which is not always done in real life.
That makes more sense, but then, in any case, you should be transmitting public keys over a medium that is authenticated in some form. Otherwise, an attacker could simple replace the key by theirs.
The advantage of this method is that it works without supervision. If the attacker just replaced the key, they would have to attempt to login in the narrow window between installation and it being replaced because it does not work.
Exactly the reason I’ve half considered flagging the article.
You remember the old meme,
1. A thing
2. ???
3. Profit!
This is sort of like that: TFA skips over the part where the user is owned or conned by someone else.
The honest headline would be “yet another clever malicious thing you can do once you compromise someone else’s accounts!” but I can see where that would get fewer clicks.
How would this be deployed? If you already have access to the users authorized-keys it seems like you'd have enough access to do many other, more damaging things.
Spoiler: It isn't, it doesn't even run OpenSSH at this point anyway[1]. Gitlab has gitlab-sshd[2], which can be used in place of the OpenSSH-based approach as well. It is used on gitlab.com.
[1]: debug1: Remote protocol version 2.0, remote software version babeld-51390fc7
Perhaps something similar could be done with SSH keys? Drop a ^M somewhere in the command and make the rest look innocuous.
Also, base64-encoding the evil command would be more effective, since a typical key is a pile of unreadable base64 anyway, so it would blend in better.