SSH’s ProxyCommand
is a feature quite widely used to proxy ssh connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like %h
, %u
which refer to hostname and username respectively.
When coming from untrusted sources, a hostname can be malicious and look something like `malicious-command` (backticks would allow a command to be executed in shell)
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
What do you think?
It is nice to know your opinion. Leave a comment.