Summary
A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.
Details
Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers.
In HandleCreateProxySession
the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, CreateNewConnection
is called:
https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2445aff9d60e4e7525c89fec8/src/mod/sshprox/sshprox.go#L165-L178
In line 178, the gotty
binary is executed running sshCommand
from the line above. It contains the user-controlled variable connAddr
, which includes the hostname of the SSH server and - if provided - the username.
An attacker can exploit the username
variable to escape from the bash
command and inject arbitrary commands into sshCommand
. This is possible, because, unlike hostname and port, the username is not validated or sanitized.
This vulnerability was introduced in tobychui/zoraxy@c07d5f8.
If Zoraxy is run without authentication of the management interface (started with-noauth
), this vulnerability can be exploited without authentication.
Additionally, if Zoraxy is run in Docker with the Docker socket mounted (as described in https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/docker/README.md), this vulnerability can be exploited to escape the Zoraxy container and gain access to the Docker host.
PoC
- Download and run Zoraxy as described in the README
- Setup a user
- Login as user
- Navigate to Other -> Network Tools -> Connection
- Enter hostname / IP of any server with SSH running, e.g.
github.com
- Enter
; bash ;
as user
- Click
Connect using SSH
- A window will open with
bash
running on the Zoraxy host
Demo:
https://github.com/user-attachments/assets/5a3d8771-167f-4a79-8665-ed0dfb490181
Impact
This vulnerability allows an authenticated attacker to gain remote code execution with the privileges of the Zoraxy process (root by default). This affects Zoraxy versions 2.6.1 through 3.1.2.
References
Summary
A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.
Details
Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers.
In
HandleCreateProxySession
the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target,CreateNewConnection
is called:https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2445aff9d60e4e7525c89fec8/src/mod/sshprox/sshprox.go#L165-L178
In line 178, the
gotty
binary is executed runningsshCommand
from the line above. It contains the user-controlled variableconnAddr
, which includes the hostname of the SSH server and - if provided - the username.An attacker can exploit the
username
variable to escape from thebash
command and inject arbitrary commands intosshCommand
. This is possible, because, unlike hostname and port, the username is not validated or sanitized.This vulnerability was introduced in tobychui/zoraxy@c07d5f8.
If Zoraxy is run without authentication of the management interface (started with
-noauth
), this vulnerability can be exploited without authentication.Additionally, if Zoraxy is run in Docker with the Docker socket mounted (as described in https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/docker/README.md), this vulnerability can be exploited to escape the Zoraxy container and gain access to the Docker host.
PoC
github.com
; bash ;
as userConnect using SSH
bash
running on the Zoraxy hostDemo:
https://github.com/user-attachments/assets/5a3d8771-167f-4a79-8665-ed0dfb490181
Impact
This vulnerability allows an authenticated attacker to gain remote code execution with the privileges of the Zoraxy process (root by default). This affects Zoraxy versions 2.6.1 through 3.1.2.
References