shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-11 10:40:27 +09:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2023-6004: torture_proxycommand: Add test for proxycommand injection

Browse Source 
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Norbert Pocs
2023-10-10 10:28:47 +02:00
committed by Andreas Schneider
parent 95c6f880ef
commit 7b697d711e
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tests/client/torture_proxycommand.c
View File

@@ -166,6 +166,56 @@ static void torture_options_set_proxycommand_ssh_stderr(void **state)
assert_int_equal(rc & O_RDWR, O_RDWR); assert_int_equal(rc & O_RDWR, O_RDWR);
} }
static void torture_options_proxycommand_injection(void **state)
{
struct torture_state *s = *state;
struct passwd *pwd = NULL;
const char *malicious_host = "`echo foo > mfile`";
const char *command = "nc %h %p";
char *current_dir = NULL;
char *malicious_file_path = NULL;
int mfp_len;
int verbosity = torture_libssh_verbosity();
struct stat sb;
int rc;
pwd = getpwnam("bob");
assert_non_null(pwd);
rc = setuid(pwd->pw_uid);
assert_return_code(rc, errno);
s->ssh.session = ssh_new();
assert_non_null(s->ssh.session);
ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
// if we would be checking the rc, this should fail
ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, malicious_host);
ssh_options_set(s->ssh.session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROXYCOMMAND, command);
assert_int_equal(rc, 0);
rc = ssh_connect(s->ssh.session);
assert_ssh_return_code_equal(s->ssh.session, rc, SSH_ERROR);
current_dir = torture_get_current_working_dir();
assert_non_null(current_dir);
mfp_len = strlen(current_dir) + 6;
malicious_file_path = malloc(mfp_len);
assert_non_null(malicious_file_path);
rc = snprintf(malicious_file_path, mfp_len,
"%s/mfile", current_dir);
assert_int_equal(rc, mfp_len);
free(current_dir);
rc = stat(malicious_file_path, &sb);
assert_int_not_equal(rc, 0);
// cleanup
remove(malicious_file_path);
free(malicious_file_path);
}
int torture_run_tests(void) { int torture_run_tests(void) {
int rc; int rc;
struct CMUnitTest tests[] = { struct CMUnitTest tests[] = {
@@ -181,6 +231,9 @@ int torture_run_tests(void) {
cmocka_unit_test_setup_teardown(torture_options_set_proxycommand_ssh_stderr, cmocka_unit_test_setup_teardown(torture_options_set_proxycommand_ssh_stderr,
session_setup, session_setup,
session_teardown), session_teardown),
cmocka_unit_test_setup_teardown(torture_options_proxycommand_injection,
NULL,
session_teardown),
}; };