Merge pull request #1890 from BishopFox/fix/v1.5.x/GHSA-fh4v-v779-4g2w

Track reverse portfwd state
BishopFox · Feb 19, 2025 · 10e2453 · 10e2453
2 parents ba05d0a + 0b84466
commit 10e2453
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/implant/sliver/sliver.c b/implant/sliver/sliver.c
@@ -3,6 +3,8 @@
 #ifdef __WIN32
 #include <windows.h>
 
+void StartW();
+
 DWORD WINAPI Start()
 {
     StartW();

diff --git a/server/core/rtunnels/rtunnels.go b/server/core/rtunnels/rtunnels.go
@@ -8,6 +8,7 @@ import (
 var (
 	Rtunnels map[uint64]*RTunnel = make(map[uint64]*RTunnel)
 	mutex    sync.RWMutex
+	pending  sync.Map
 )
 
 // RTunnel - Duplex byte read/write
@@ -95,6 +96,21 @@ func RemoveRTunnel(ID uint64) {
 	delete(Rtunnels, ID)
 }
 
+func AddPending(sessionID string, connStr string) {
+	pending.Store(sessionID, connStr)
+}
+
+func DeletePending(sessionID string) {
+	pending.Delete(sessionID)
+}
+
+func Check(sessionID string, connStr string) bool {
+	if val, ok := pending.Load(sessionID); ok {
+		return val == connStr
+	}
+	return false
+}
+
 // func removeAndCloseAllRTunnels() {
 // 	mutex.Lock()
 // 	defer mutex.Unlock()

diff --git a/server/handlers/sessions.go b/server/handlers/sessions.go
@@ -226,9 +226,14 @@ func createReverseTunnelHandler(implantConn *core.ImplantConnection, data []byte
 	req := &sliverpb.TunnelData{}
 	proto.Unmarshal(data, req)
 
-	var defaultDialer = new(net.Dialer)
-
 	remoteAddress := fmt.Sprintf("%s:%d", req.Rportfwd.Host, req.Rportfwd.Port)
+	if !rtunnels.Check(session.ID, remoteAddress) {
+		sessionHandlerLog.Errorf("Session %s attempted to create reverse tunnel to %s without being initiated by a client", session.ID, remoteAddress)
+		return nil
+	}
+	defer rtunnels.DeletePending(session.ID)
+
+	var defaultDialer = new(net.Dialer)
 
 	ctx, cancelContext := context.WithCancel(context.Background())
 

diff --git a/server/rpc/rpc-rportfwd.go b/server/rpc/rpc-rportfwd.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/bishopfox/sliver/protobuf/commonpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
+	"github.com/bishopfox/sliver/server/core/rtunnels"
 )
 
 // GetRportFwdListeners - Get a list of all reverse port forwards listeners from an implant
@@ -38,6 +39,7 @@ func (rpc *Server) GetRportFwdListeners(ctx context.Context, req *sliverpb.Rport
 // StartRportfwdListener - Instruct the implant to start a reverse port forward
 func (rpc *Server) StartRportFwdListener(ctx context.Context, req *sliverpb.RportFwdStartListenerReq) (*sliverpb.RportFwdListener, error) {
 	resp := &sliverpb.RportFwdListener{Response: &commonpb.Response{}}
+	rtunnels.AddPending(req.Request.SessionID, req.ForwardAddress)
 	err := rpc.GenericHandler(req, resp)
 	if err != nil {
 		return nil, err