Merge pull request #1890 from BishopFox/fix/v1.5.x/GHSA-fh4v-v779-4g2w

rkervella · web-flow · commit 10e245326070 · 2025-02-19T11:44:31.000-08:00
Track reverse portfwd state
diff --git a/implant/sliver/sliver.c b/implant/sliver/sliver.c
@@ -3,6 +3,8 @@
 #ifdef __WIN32
 #include <windows.h>
 
+void StartW();
+
 DWORD WINAPI Start()
 {
     StartW();
diff --git a/server/core/rtunnels/rtunnels.go b/server/core/rtunnels/rtunnels.go
@@ -8,6 +8,7 @@ import (
 var (
 	Rtunnels map[uint64]*RTunnel = make(map[uint64]*RTunnel)
 	mutex    sync.RWMutex
+	pending  sync.Map
 )
 
 // RTunnel - Duplex byte read/write
@@ -95,6 +96,21 @@ func RemoveRTunnel(ID uint64) {
 	delete(Rtunnels, ID)
 }
 
+func AddPending(sessionID string, connStr string) {
+	pending.Store(sessionID, connStr)
+}
+
+func DeletePending(sessionID string) {
+	pending.Delete(sessionID)
+}
+
+func Check(sessionID string, connStr string) bool {
+	if val, ok := pending.Load(sessionID); ok {
+		return val == connStr
+	}
+	return false
+}
+
 // func removeAndCloseAllRTunnels() {
 // 	mutex.Lock()
 // 	defer mutex.Unlock()
diff --git a/server/handlers/sessions.go b/server/handlers/sessions.go
@@ -226,9 +226,14 @@ func createReverseTunnelHandler(implantConn *core.ImplantConnection, data []byte
 	req := &sliverpb.TunnelData{}
 	proto.Unmarshal(data, req)
 
-	var defaultDialer = new(net.Dialer)
-
 	remoteAddress := fmt.Sprintf("%s:%d", req.Rportfwd.Host, req.Rportfwd.Port)
+	if !rtunnels.Check(session.ID, remoteAddress) {
+		sessionHandlerLog.Errorf("Session %s attempted to create reverse tunnel to %s without being initiated by a client", session.ID, remoteAddress)
+		return nil
+	}
+	defer rtunnels.DeletePending(session.ID)
+
+	var defaultDialer = new(net.Dialer)
 
 	ctx, cancelContext := context.WithCancel(context.Background())
 
diff --git a/server/rpc/rpc-rportfwd.go b/server/rpc/rpc-rportfwd.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/bishopfox/sliver/protobuf/commonpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
+	"github.com/bishopfox/sliver/server/core/rtunnels"
 )
 
 // GetRportFwdListeners - Get a list of all reverse port forwards listeners from an implant
@@ -38,6 +39,7 @@ func (rpc *Server) GetRportFwdListeners(ctx context.Context, req *sliverpb.Rport
 // StartRportfwdListener - Instruct the implant to start a reverse port forward
 func (rpc *Server) StartRportFwdListener(ctx context.Context, req *sliverpb.RportFwdStartListenerReq) (*sliverpb.RportFwdListener, error) {
 	resp := &sliverpb.RportFwdListener{Response: &commonpb.Response{}}
+	rtunnels.AddPending(req.Request.SessionID, req.ForwardAddress)
 	err := rpc.GenericHandler(req, resp)
 	if err != nil {
 		return nil, err

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,8 @@`
`3`	`3`	`#ifdef __WIN32`
`4`	`4`	`#include <windows.h>`
`5`	`5`
	`6`	`+void StartW();`
	`7`	`+`
`6`	`8`	`DWORD WINAPI Start()`
`7`	`9`	`{`
`8`	`10`	`StartW();`