Lucene search

K
hackeroneVx01H1:2293731
HistoryDec 20, 2023 - 10:05 p.m.

Internet Bug Bounty: Command Injection using malicious hostname in expanded proxycommand

2023-12-2022:05:47
vx01
hackerone.com
$540
21
bug bounty
command injection
proxycommand
exploit
hostname syntax
code execution
user interaction
security advisory
libssh
openssh

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.9%

Using the ProxyCommand or the ProxyJump feature enables users to exploit
unchecked hostname syntax on the client, which enables to inject malicious code
into the command of the above-mentioned features through the hostname parameter.

User interaction is required to exploit this issue.

Advisory from libssh: https://www.libssh.org/security/advisories/CVE-2023-6004.txt

Advisory from OpenSSH which also suffered from this flaw: https://www.openssh.com/txt/release-9.6

Impact

Code execution via malicious input hostname or other tokens