{"uuid": "2b18d67b-9511-4bac-ba29-0db2a256466a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-51385", "type": "published-proof-of-concept", "source": "https://t.me/poxek/3528", "content": "SSH ProxyCommand == RCE\nCVE-2023-51385\n#RCE\n\nSSH\u2019s ProxyCommand is a feature quite widely used to proxy ssh connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like %h, %u which refer to hostname and username respectively.\n\nWhen coming from untrusted sources, a hostname can be malicious and look something like malicious-command (backticks would allow a command to be executed in shell)\n\nMalicious config:\nHost *.example.com\n  ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p\n\nLatest PoC:\nurl = ssh://'`open -aCalculator`'foo.example.com/bar\n\nExploit: https://github.com/vin01/poc-proxycommand-vulnerable-v2\n\nFor Remediation you need update to:\nOpenSSH 9.6p1\nlibssh 0.10.6 and 0.9.8\n\n\ud83c\udf1a @poxek", "creation_timestamp": "2023-12-24T09:02:08.000000Z"}