Full Report
The SSH ProxyCommand is used for proxying SSH connections. In particular, custom commands can be used to connect to the server. Within these commands are variables, such as %h for the hostname or %p for the port. These parameters are not being sanitized when used within the SSH command scripts. So, a malicious host, port or many others could be used to get command injection in the SSH proxying setup. At first, I didn't understand where this came from. They provided a command from Github for a PoC. In this example, the submodule files contain ssh://`open -aCalculator`foo.example.com/bar, which creates a command injection on the proxy setup. Be careful what you download! This could have been exploited to torch people using git in many different ways. Awesome, yet simple bug in an everyday system.
Analysis Summary
# Vulnerability: Command Injection via SSH ProxyCommand Expansion
## CVE Details
- **CVE ID:** CVE-2023-51385 (OpenSSH), CVE-2023-6004 (libssh)
- **CVSS Score:** 9.8 (Critical) - *Note: Based on NVD severity for remote command injection.*
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in a Command)
## Affected Systems
- **Products:** OpenSSH, libssh, and automation tools/clients that rely on them (e.g., Git).
- **Versions:**
- OpenSSH versions prior to 9.6p1.
- libssh versions prior to 0.10.6 and 0.9.8.
- **Configurations:** Systems utilizing the `ProxyCommand` directive in `.ssh/config` where tokens like `%h` (hostname) or `%u` (username) are expanded, particularly when interacting with untrusted sources (like malicious Git submodules).
## Vulnerability Description
The flaw exists in how SSH clients handle the expansion of tokens (specifically `%h` for host, `%p` for port, and `%u` for user) within the `ProxyCommand` directive. These tokens are not properly sanitized before being passed to the shell for execution. If an attacker can control the hostname—for example, via a malicious URL in a Git submodule—they can include shell metacharacters (such as backticks or single quotes) to break out of the intended command and execute arbitrary code on the local machine.
## Exploitation
- **Status:** PoC available.
- **Complexity:** Low (requires a user to perform an action against a malicious URI).
- **Attack Vector:** Network (Remote via social engineering/untrusted repositories).
## Impact
- **Confidentiality:** High (Full access to the local user's data).
- **Integrity:** High (Ability to modify local files and configurations).
- **Availability:** High (Potential for system disruption or deletion of data).
## Remediation
### Patches
- **OpenSSH:** Upgrade to version **9.6p1** or later.
- **libssh:** Upgrade to versions **0.10.6** or **0.9.8** or later.
### Workarounds
- **Strict Input Validation:** Avoid using `ProxyCommand` with untrusted hostnames.
- **Manual Sanitization:** Ensure `ProxyCommand` configurations do not process unverified external input; however, manual quoting is often insufficient as attackers can use nested quotes to escape.
## Detection
- **Indicators of Compromise:**
- Review `.ssh/config` for suspicious `ProxyCommand` entries.
- Monitor for unusual process spawning (e.g., `Calculator.app`, `sh`, `bash`) originating from `ssh` or `git` processes.
- **Detection Methods:** Scan Git repositories for submodules containing URIs with shell metacharacters (e.g., `ssh://`backticks``).
## References
- **Vendor Advisory:** hxxps://www.openssh.com/txt/release-9.6
- **Libssh Advisory:** hxxps://www.libssh.org/security/advisories/CVE-2023-6004.txt
- **NVD Entry:** hxxps://nvd.nist.gov/vuln/detail/CVE-2023-51385
- **Original Research:** hxxps://vin01.github[.]io/piptagole/ssh/security/2023/12/20/ssh-proxycommand-unexpected-command-execution.html
- **PoC Repository:** hxxps://github[.]com/vin01/poc-proxycommand-vulnerable