cve/2023/CVE-2023-38408.md

### [CVE-2023-38408](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38408)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

### POC

#### Reference
- http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
- https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
- https://news.ycombinator.com/item?id=36790196

#### Github
- https://github.com/Aijoo100/Aijoo100
- https://github.com/FarelRA/MKM_ssh
- https://github.com/LucasPDiniz/CVE-2023-38408
- https://github.com/LucasPDiniz/StudyRoom
- https://github.com/Magisk-Modules-Repo/ssh
- https://github.com/Threekiii/CVE
- https://github.com/amirphl/atlas
- https://github.com/aneasystone/github-trending
- https://github.com/bollwarm/SecToolSet
- https://github.com/classic130/CVE-2023-38408
- https://github.com/djalilayed/tryhackme
- https://github.com/firatesatoglu/iot-searchengine
- https://github.com/johe123qwe/github-trending
- https://github.com/kali-mx/CVE-2023-38408
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/scmanjarrez/CVEScannerV2
- https://github.com/scmanjarrez/test
- https://github.com/snowcra5h/CVE-2023-38408
- https://github.com/testing-felickz/docker-scout-demo
- https://github.com/thesakibrahman/THM-Free-Room
- https://github.com/wxrdnx/CVE-2023-38408