argument-injection-vectors icon indicating copy to clipboard operation
argument-injection-vectors copied to clipboard
verified publisher icon SonarSource

Add -D for ssh-keygen

Open 0xdea opened this issue 2 years ago • 4 comments

This looks like a good candidate to add to your project: https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.html

0xdea avatar Jun 05 '23 09:06 0xdea

Thank you for your contribution! Are you aware of CVEs where the argument injection happened on an invocation of ssh-keygen?

For instance, the fix for CVE-2020-16846 could be a good candidate but it's not exploitable: the tainted data is preceded by -f and the argument parser will correctly treat it as an option-argument and not as an option ;-(

thomas-chauchefoin-sonarsource avatar Jun 05 '23 22:06 thomas-chauchefoin-sonarsource

Hi, I'm not aware of an actual CVE where an argument injection happened via ssh-keygen.

0xdea avatar Jun 06 '23 08:06 0xdea

In that case, I'll keep the issue open for now. I'm trying to add only vectors documented in a CVE or in a writeup to avoid colliding too much with GTFOBins.

thomas-chauchefoin-sonarsource avatar Jun 12 '23 15:06 thomas-chauchefoin-sonarsource

Understood! Thanks.

0xdea avatar Jun 12 '23 15:06 0xdea