libnbd SSH Argument Injection Vulnerability Leading to Arbitrary Code Execution

A vulnerability in libnbd allows for arbitrary code execution by injecting non-standard hostnames into the SSH argument process. This issue arises when libnbd is convinced to open a crafted URI, particularly those starting with '-o', which are misinterpreted as SSH arguments. The flaw is present in libnbd versions 1.22 and later.

Impact

Exploitation of this vulnerability could result in arbitrary code execution with the privileges of the user running libnbd.

Reproduction

To reproduce this vulnerability, libnbd must be used to open a URI that is intentionally crafted to include a hostname starting with '-o'. This can be done by using libnbd tools such as 'nbdinfo' with an 'nbd+ssh://' URI that includes the malicious hostname. The lack of proper sanitization in the hostname field allows the injected arguments to be executed as commands via the SSH process.

Remediation

Users should ensure that applications using libnbd do not process URIs from untrusted sources. Restricting the origins of URIs handled by libnbd can help mitigate the risk of exploitation.