bugzilla-daemon at bugzilla.mindrot.org
2017-Apr-07 03:27 UTC
[Bug 1762] Improve the documentation w.r.t. "the user's shell"
https://bugzilla.mindrot.org/show_bug.cgi?id=1762
imoverclocked at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |security
CC| |imoverclocked at gmail.com
Component|Documentation |ssh
Version|5.5p1 |7.4p1
--- Comment #2 from imoverclocked at gmail.com ---
Given the URL in a web browser:
"ssh://user at somehost.%60id%3E%2Ftmp%2Fwhoami%60.example.com"
iTerm2 currently launches ssh with a hostname of:
somehost.`id>/tmp/whoami`.example.com
With a vanilla SSH configuration this is ok since SSH errors out with
"host not found." However, with a special SSH configuration, a website
can execute an arbitrary command:
```
Host *
ProxyCommand connect_to %r %h
```
What happened:
`id>/tmp/whoami` was executed.
What should have happened instead:
1) SSH passes %r/%h as an argument to the ProxyCommand without shell
interpolation
2) %h should be validated to adhere to valid punycode
3) Introduce a SafeProxyCommand that only allows safe characters in
%r/%h/etc...
--
You are receiving this mail because:
You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 2706] New: remote code execution via ProxyCommand+browser exploit
- [Bug 1762] Improve the documentation w.r.t. "the user's shell"
- Baffling regress/forwarding.sh failure, new in 7.4p1
- Problem with port forwarding on Mac OS X
- [PATCH] allow relative path in streamlocal forwarding
Wisdom of the Ancients
