[Bug 2706] New: remote code execution via ProxyCommand+browser exploit

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Apr 7 13:31:37 AEST 2017


            Bug ID: 2706
           Summary: remote code execution via ProxyCommand+browser exploit
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: All
                OS: Mac OS X
            Status: NEW
          Severity: security
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imoverclocked at gmail.com

Given the URL in a web browser: 


iTerm2 currently launches ssh with a hostname of: 


With a vanilla SSH configuration this is ok since SSH errors out with
"host not found." However, with a special SSH configuration, a website
can execute an arbitrary command:

Host *
  ProxyCommand connect_to %r %h

What happened:

  `id>/tmp/whoami` was executed.

What should have happened instead:

1) SSH passes %r/%h as an argument to the ProxyCommand without shell
2) %h should be validated to adhere to valid punycode
3) Introduce a SafeProxyCommand that only allows safe characters in

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list