Issue 2545 Argument smuggling in SSH repository URLs

Title Argument smuggling in SSH repository URLs
Priority Status unknown
Milestone Resolved in
Superseder Nosy List mithrandi
Assigned To

Created on 2017-08-15.19:15:00 by mithrandi, last changed 2017-08-16.18:46:31 by bf.

msg19595 (view) Author: mithrandi Date: 2017-08-15.19:14:56
Similarly to git (CVE-2017-1000117), Subversion (CVE-2017-9800), and 
Mercurial (CVE-2017-1000116), options for scp/ssh/etc. can be smuggled 
in a darcs repository URL. For example:

darcs get 'ssh://-oProxyCommand=xdg-open https:example.com/'

I believe darcs offers no obvious way (such as git submodules) to 
deliver such an "evil" URL to an unsuspecting user, but I think this is 
still an unexpected security hazard.
msg19599 (view) Author: bf Date: 2017-08-16.18:18:21
What i do not understand here: isn't this a bug in ssh, rather than the
programs that use it? IMO, if ssh interprets 'ssh://-oWhatever' as an
option then it's command line parser is broken and should be fixed;
instead of burdening all existing programs and scripts that happen to
use ssh to apply work-arounds to avoid the issue.
msg19600 (view) Author: mithrandi Date: 2017-08-16.18:36:09
The URL is parsed by darcs, not by ssh (note that darcs parses 
hostname:path syntax as well as ssh://hostname/path, and forms of this 
attack are possible with both syntaxes). The eventual command that gets 
run (you can see this with -debug) is something like:

ssh -oProxyCommand=blahblah darcs transfer-mode

Adding a -- in front of the hostname is sufficient to prevent it from 
being interpreted as a command-line option:

$ ssh -- -oProxyCommand=blah blah
ssh: Could not resolve hostname -oproxycommand=blah: No address 
associated with hostname
msg19603 (view) Author: bf Date: 2017-08-16.18:46:30
Thanks mithrandi, that clears it up; sorry for blaming ssh, will fix.
Date User Action Args
2017-08-15 19:15:00mithrandicreate
2017-08-16 18:18:22bfsetmessages: + msg19599
2017-08-16 18:36:10mithrandisetmessages: + msg19600
2017-08-16 18:46:31bfsetmessages: + msg19603