CVE-2016-3115

MEDIUM

OpenSSH < 7.2 - Authenticated Command Restriction Bypass via X11 Forwarding CRLF Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3115. PoCs published by tintinweb.

AI-analyzed exploit summary This exploit demonstrates a CRLF injection vulnerability in OpenSSH (CVE-2016-3115) where an authenticated user can inject arbitrary xauth commands via a newline character in the x11 cookie, potentially bypassing forced-commands or /bin/false restrictions. The PoC includes functional code to exploit this vulnerability and outlines the technical details of the attack.

Description

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

Exploits (1)

exploitdb WORKING POC

by tintinweb · pythonremotemultiple

https://www.exploit-db.com/exploits/39569

View Code ZIP pw:eip

This exploit demonstrates a CRLF injection vulnerability in OpenSSH (CVE-2016-3115) where an authenticated user can inject arbitrary xauth commands via a newline character in the x11 cookie, potentially bypassing forced-commands or /bin/false restrictions. The PoC includes functional code to exploit this vulnerability and outlines the technical details of the attack.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: OpenSSH <= 7.2p1

Auth required

Prerequisites: X11Forwarding enabled on the server · Authenticated user access

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (25)

Core 25

Core References

Vendor Advisory x_refsource_confirm

http://www.openssh.com/txt/x11fwd.adv

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Various Sources x_refsource_misc

https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html

Vendor Advisory vendor-advisory x_refsource_freebsd

https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39569/

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-0466.html

Various Sources x_refsource_confirm

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035249

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Various Sources x_refsource_confirm

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html

Various Sources x_refsource_confirm

https://bto.bluecoat.com/security-advisory/sa121

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201612-18

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/84314

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html

Mailing List mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Mar/47

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-0465.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Mar/46

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html

Scores

CVSS v3 6.4

EPSS 0.3702

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (2)

openbsd/openssh < 7.2

oracle/vm_server 3.2

Published Mar 22, 2016

Tracked Since Feb 18, 2026