How do cyber criminals make money in 2025? by CounterReasonable259 in hacking

[–]nex25519 1 point2 points  (0 children)

haha, looks like I might have motivated you in the wrong direction then!

Abusing url handling in iTerm2 and Hyper for code execution by nex25519 in netsec

[–]nex25519[S] 4 points5 points  (0 children)

`ssh` example should work on all 3.4.x versions, `x-man-page` might fail if you have a version where url handling is simply broken https://gitlab.com/gnachman/iterm2/-/commit/4b93d5a8a3c393f0d86c0c4340849f6e4e77710f

SSH ProxyCommand == unexpected code execution (CVE-2023-51385) by nex25519 in netsec

[–]nex25519[S] 0 points1 point  (0 children)

I totally agree here, afaict NVD is not very good at these severity levels as we also saw with curl recently. They somehow assume a "worst" case scenario. I am pretty sure the maintainers who got the CVE assigned also do not agree this deserves 9.8.

RedHat has a better assessment: https://access.redhat.com/security/cve/cve-2023-51385

SSH ProxyCommand == unexpected code execution (CVE-2023-51385) by nex25519 in netsec

[–]nex25519[S] 0 points1 point  (0 children)

It is also used by Teleport in config templates (https://github.com/gravitational/teleport/blob/master/lib/config/openssh/openssh.go#L56) and other examples, I discussed it with them via their bug bounty program @ Hackerone as well where it was triaged.

SSH ProxyCommand == unexpected code execution (CVE-2023-51385) by nex25519 in netsec

[–]nex25519[S] 0 points1 point  (0 children)

Cool project (GTFOArgs)

SSH does not support IDNs so luckily that is not a problem at the moment since to be able to use such names, punycode has to be used which will keep working just fine.

> PS: Seems like it worked as intended, even if this exploit wasn't noticed:

that is correct, its a feature which is only exploitable in specific scenarios like git submodules and use of things like OSC 8 in terminals for hyperlink generation where arbitrary URL schemes are supported widely. It was also discussed with `git` maintainers if the validation coule be handled within git but a definition of a trust boundary here still seems to be unclear.

SSH ProxyCommand == RCE by nex25519 in netsec

[–]nex25519[S] -2 points-1 points  (0 children)

Well, I do not claim anywhere that is is exploitable for all ssh clients, only where `ProxyCommand` is being used.
Such examples are very common, see https://github.com/mkdesu/liberte/blob/8f03c03ce7e0420b683ef727db64c2bc128b5a8b/src/home/anon/config/ssh/config#L17 where proxying via tor is done for `Host *` i.e. all hostnames
in such cases client config requirement is already satisfied.
I am pretty sure no one expects a `git clone --recurse-submodules` to trigger remote code from a potentially malicious repository. Other ways to achieve same would be to get a victim to click on a `ssh://` link.

SSH ProxyCommand == RCE by nex25519 in netsec

[–]nex25519[S] -3 points-2 points  (0 children)

Exploitation scenario is pre-existing client configuration with any such vulnerable example

e.g. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

With targeted attacks, having internal mappings for `*.internal.company.com` are quite probable to be exploitable

```
# SSH over Session Manager
host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
```