Summary 总结
SSH’s ProxyCommand
is a feature quite widely used to proxy ssh connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like %h
, %u
which refer to hostname and username respectively.
SSH ProxyCommand
是一项非常广泛用于代理 ssh 连接的功能,它允许指定用于连接到服务器的自定义命令。此指令的参数可能包含类似 %h
的标记, %u
它们分别引用主机名和用户名。
When coming from untrusted sources, a hostname can be malicious and look something like `malicious-command` (backticks would allow a command to be executed in shell)
当来自不受信任的来源时,主机名可能是恶意的,看起来像“malicious-command”(反引号将允许在 shell 中执行命令)
More info in docs which describe this feature in detail
文档中详细介绍了此功能的详细信息
Let’s review an example
让我们回顾一个例子
Taking an example based on the docs
以基于文档的示例为例
Host *.example.com
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
In this case, there is no sanitization of hostname and if %h
contains a malicious hostname, it may allow command execution.
在这种情况下,不会对主机名进行审查,如果 %h
包含恶意主机名,则可能允许命令执行。
Can I haz PoC?
我可以对 PoC 进行 haz 吗?
What good is all this without a PoC? So here we go! Once you have added the above example to your .ssh/config
, try following which should pop a calculator on OS X.
没有PoC,这一切有什么用?所以,我们开始吧!将上述示例添加到您的 .ssh/config
示例后,请尝试按照以下步骤在OS X上弹出一个计算器。
git clone https://github.com/vin01/poc-proxycommand-vulnerable --recurse-submodules
Even if the ProxyCommand is being used with single quotes to sanitize arguments i.e. ‘%h’, it is not sufficient since an attacker controlled hostname might itself contain a single quote and defeat quoting.
即使 ProxyCommand 与单引号一起使用来清理参数,即“%h”,这还不够,因为攻击者控制的主机名本身可能包含单引号并失败引号。
PoC 2: 概念验证 2:
git clone https://github.com/vin01/poc-proxycommand-vulnerable-v2 --recurse-submodules
Remediation 修复
Update to: 更新到:
Vulnerable usage out in the wild
在野外易受攻击
- https://help.okta.com/asa/en-us/content/topics/adv_server_access/docs/custom-ssh-client.htm
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/
- https://cloud.google.com/iap/docs/tcp-by-host
- https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
- https://goteleport.com/docs/connect-your-client/tsh/
- https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Tunneling_the_SSH_Client_Over_Tor_with_Netcat
CVEs and references CVE 和参考资料
My sincere thanks to:
我衷心感谢:
- Kevin Roh @ Okta for brilliant triaging and impact assessment
Kevin Roh @ Okta 提供出色的分类和影响评估 - Jakub Jelen @ libssh for timely follow up and communication
Jakub Jelen @ libssh 及时跟进和沟通 - Damien Miller and others @ Openssh for patches and discussions
Damien Miller 和其他人 @ Openssh 进行补丁和讨论 - Maintainers @ Git for discussions to define a potential trust boundary between ssh and git
维护者 @ Git 进行讨论,以定义 ssh 和 git 之间的潜在信任边界
原文始发于Vin01’s Blog:SSH ProxyCommand == unexpected code execution (CVE-2023-51385)
转载请注明:SSH ProxyCommand == unexpected code execution (CVE-2023-51385) | CTF导航