Fix issue where exposing server port would result in invalid ip address, add option to link to allow host header to be used for template determination

Author: NHAS

internal/client/handlers/remoteforward.go

@@ -121,11 +121,11 @@ func handleData(rf internal.RemoteForwardRequest, proxyCon net.Conn, sshConn ssh
 
 	drtMsg := internal.ChannelOpenDirectMsg{
 
-		Raddr: rf.BindAddr,
-		Rport: rf.BindPort,
+		Raddr: originatorAddress,
+		Rport: uint32(originatorPortInt),
 
-		Laddr: originatorAddress,
-		Lport: uint32(originatorPortInt),
+		Laddr: rf.BindAddr,
+		Lport: rf.BindPort,
 	}
 
 	log.Printf("formed drtMsg: %+v", drtMsg)

internal/server/commands/connect.go

@@ -43,7 +43,8 @@ func (c *connect) Run(user *users.User, tty io.ReadWriter, line terminal.ParsedL
 	}
 
 	if len(line.Arguments) < 1 {
-		return fmt.Errorf(c.Help(false))
+
+		return fmt.Errorf("%s", c.Help(false))
 	}
 
 	shell, _ := line.GetArgString("shell")

internal/server/commands/link.go

@@ -41,6 +41,7 @@ func (l *link) ValidArgs() map[string]string {
 		"stdio":             "Use stdin and stdout as transport, will disable logging, destination after stdio:// is ignored",
 		"http":              "Use http polling as the underlying transport",
 		"https":             "Use https polling as the underlying transport",
+		"use-host-header":   "Use the client supplied host header as the callback address",
 		"shared-object":     "Generate shared object file",
 		"fingerprint":       "Set RSSH server fingerprint will default to server public key",
 		"garble":            "Use garble to obfuscate the binary (requires garble to be installed)",
@@ -154,6 +155,8 @@ func (l *link) Run(user *users.User, tty io.ReadWriter, line terminal.ParsedLine
 		buildConfig.ConnectBackAdress = webserver.DefaultConnectBack
 	}
 
+	buildConfig.UseHostHeader = line.IsSet("use-host-header")
+
 	tt := map[string]bool{
 		"tls":   line.IsSet("tls"),
 		"wss":   line.IsSet("wss"),

internal/server/data/downloads.go

@@ -25,6 +25,9 @@ type Download struct {
 	Version         string
 	FileSize        float64
 
+	// when generating the template use the host header
+	UseHostHeader bool
+
 	// Where to download the file to
 	WorkingDirectory string
 }

internal/server/handlers/forwardserverport.go

@@ -20,9 +20,23 @@ var (
 	remoteForwards           = map[string]ssh.Channel{}
 )
 
+type chanAddress struct {
+	Port uint32
+	IP   string
+}
+
+func (c *chanAddress) Network() string {
+	return "remote_forward_tcp"
+}
+
+func (c *chanAddress) String() string {
+	return net.JoinHostPort(c.IP, fmt.Sprintf("%d", c.Port))
+}
+
 type chanConn struct {
-	channel ssh.Channel
-	drtMsg  internal.ChannelOpenDirectMsg
+	channel    ssh.Channel
+	localAddr  chanAddress
+	remoteAddr chanAddress
 }
 
 func (c *chanConn) Read(b []byte) (n int, err error) {
@@ -38,17 +52,11 @@ func (c *chanConn) Close() error {
 }
 
 func (c *chanConn) LocalAddr() net.Addr {
-	return &net.TCPAddr{
-		IP:   net.ParseIP(c.drtMsg.Laddr),
-		Port: int(c.drtMsg.Lport),
-	}
+	return &c.localAddr
 }
 
 func (c *chanConn) RemoteAddr() net.Addr {
-	return &net.TCPAddr{
-		IP:   net.ParseIP(c.drtMsg.Raddr),
-		Port: int(c.drtMsg.Rport),
-	}
+	return &c.remoteAddr
 }
 
 func (c *chanConn) SetDeadline(t time.Time) error {
@@ -67,7 +75,17 @@ func (c *chanConn) SetWriteDeadline(t time.Time) error {
 
 func channelToConn(channel ssh.Channel, drtMsg internal.ChannelOpenDirectMsg) net.Conn {
 
-	return &chanConn{channel, drtMsg}
+	return &chanConn{
+		channel: channel,
+		localAddr: chanAddress{
+			Port: drtMsg.Lport,
+			IP:   drtMsg.Raddr,
+		},
+		remoteAddr: chanAddress{
+			Port: drtMsg.Rport,
+			IP:   drtMsg.Raddr,
+		},
+	}
 }
 
 func ServerPortForward(clientId string) func(_ string, _ *users.User, newChannel ssh.NewChannel, log logger.Logger) {

internal/server/sshd.go

@@ -253,37 +253,51 @@ func StartSSHServer(sshListener net.Listener, privateKey ssh.Signer, insecure, o
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 
 			remoteIp := getIP(conn.RemoteAddr().String())
+			// from forwradserverport.go, effectively when pivoting and exposing the server port we have to just trust whatever structure the client gives us for our remote/local addresses,
+			// we dont want someone being able to bypass ip allow lists, so mark it as untrusted
+			isUntrustWorthy := conn.RemoteAddr().Network() == "remote_forward_tcp"
 
 			if remoteIp == nil {
 				return nil, fmt.Errorf("not authorized %q, could not parse IP address %s", conn.User(), conn.RemoteAddr())
 			}
 
 			// Check administrator keys first, they can impersonate users
 			perm, err := CheckAuth(adminAuthorizedKeysPath, key, remoteIp, false)
-			if err == nil {
+			if err == nil && !isUntrustWorthy {
 				perm.Extensions["type"] = "user"
 				perm.Extensions["privilege"] = "5"
 
 				return perm, err
 			}
 			if err != ErrKeyNotInList {
-				return nil, fmt.Errorf("admin with supplied username (%s) denied login: %s", strconv.QuoteToGraphic(conn.User()), err)
+				err = fmt.Errorf("admin with supplied username (%s) denied login: %s", strconv.QuoteToGraphic(conn.User()), err)
+				if isUntrustWorthy {
+					err = fmt.Errorf("admin (%s) denied login: %s: cannot connect admins via pivoted server port (may result in allow list bypass)", strconv.QuoteToGraphic(conn.User()), err)
+				}
+				return nil, err
 			}
 
 			// Stop path traversal
 			authorisedKeysPath := filepath.Join(usersKeysDir, filepath.Join("/", filepath.Clean(conn.User())))
 			perm, err = CheckAuth(authorisedKeysPath, key, remoteIp, false)
-			if err == nil {
+			if err == nil && !isUntrustWorthy {
 				perm.Extensions["type"] = "user"
 				perm.Extensions["privilege"] = "0"
 
 				return perm, err
 			}
 
 			if err != ErrKeyNotInList {
-				return nil, fmt.Errorf("user (%s) denied login: %s", strconv.QuoteToGraphic(conn.User()), err)
+				err = fmt.Errorf("user (%s) denied login: %s", strconv.QuoteToGraphic(conn.User()), err)
+				if isUntrustWorthy {
+					err = fmt.Errorf("user (%s) denied login: %s: cannot connect users via pivoted server port (may result in allow list bypass)", strconv.QuoteToGraphic(conn.User()), err)
+				}
+
+				return nil, err
 			}
 
+			// not going to check isUntrustWorthy down here as these are often the reason we're pivoting into a place anyway
+
 			//If insecure mode, then any unknown client will be connected as a controllable client.
 			//The server effectively ignores channel requests from controllable clients.
 			perms, err := CheckAuth(authorizedControlleeKeysPath, key, remoteIp, insecure)

internal/server/webserver/buildmanager.go

@@ -45,6 +45,7 @@ type BuildConfig struct {
 	Garble        bool
 	DisableLibC   bool
 	RawDownload   bool
+	UseHostHeader bool
 
 	WorkingDirectory string
 
@@ -87,6 +88,7 @@ func Build(config BuildConfig) (string, error) {
 	var f data.Download
 	f.WorkingDirectory = config.WorkingDirectory
 	f.CallbackAddress = config.ConnectBackAdress
+	f.UseHostHeader = config.UseHostHeader
 
 	filename, err := internal.RandomString(16)
 	if err != nil {

internal/server/webserver/webserver.go

@@ -86,7 +86,7 @@ func buildAndServe(autogeneratedConnectBack bool) http.HandlerFunc {
 			if linkExtension != "" {
 
 				host := DefaultConnectBack
-				if autogeneratedConnectBack {
+				if autogeneratedConnectBack || f.UseHostHeader {
 					host = req.Host
 				}