CVE-2020-15778 icon indicating copy to clipboard operation
CVE-2020-15778 copied to clipboard

Published 20 hours ago verified publisher icon cpandya2909

PoC wih authorized_keys

Open jeffbencteux opened this issue 4 years ago • 1 comments

Could you provide an OpenSSH authorized_keys that allow such injections?

Tried on Debian 10.7 with OpenSSH_7.9p1 and all attempts of restricting actions in authorize_keys with command="" results in the englobing of special characters such as backticks with simple quotes (seen by debugging with bash -x). Output of scp:

scp -v abc user@remote:'`touch pwned`/home/user/content/abc' 
Sending file modes: C0644 6 abc
Sink: C0644 6 abc
scp: `touch pwned`/home/user/content/abc: No such file or directory

It does not look exploitable to me at least on the indicated versions.

jeffbencteux avatar Dec 05 '20 19:12 jeffbencteux

Have not checked with authorized key. Checked with password based authentication only.

Can you mention your command statement here?

cpandya2909 avatar Jan 18 '21 11:01 cpandya2909