关联漏洞
标题:
OpenSSH 竞争条件问题漏洞
(CVE-2018-15473)
描述:OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.7及之前版本中存在竞争条件问题漏洞。该漏洞源于网络系统或产品在运行过程中,并发代码需要互斥地访问共享资源时,对于并发访问的处理不当。
描述
This script checks for the OpenSSH 7.7 (and prior) username enumeration vulnerability (CVE-2018-15473). It sends a malformed authentication packet and interprets the SSH server’s response to identify valid usernames.
介绍
# OpenSSH Username Enumeration Script (CVE-2018-15473)
This script checks for the OpenSSH 7.7 (and prior) username enumeration vulnerability (CVE-2018-15473).
It sends a malformed authentication packet and interprets the SSH server’s response to identify valid usernames.
---
## original code:
https://www.exploit-db.com/download/45233
## Updates
1. Python Compatibility
Converted all print statements to Python 3 syntax `(print("..."))`.
Replaced `map(str.strip, f.readlines())` with a list comprehension for clarity and compatibility.
2. Paramiko 3.x+ Compatibility
Replaced:
```
paramiko.auth_handler.AuthHandler._handler_table[...]
```
with:
```
from paramiko.auth_handler import AuthHandler
client_table = AuthHandler._client_handler_table.fget(AuthHandler)
```
This avoids `TypeError: 'property' object is not subscriptable`.
4. Replaced direct patching:
`handler_table[MSG_SERVICE_ACCEPT] = malform_packet`
with
`client_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet`
5. RSA Key Generation Optimization
Avoided repeated generation of 1024-bit RSA keys (slow and insecure).
Introduced a cached 2048-bit RSAKey for testing.
6. Logging & Output Fixes
Removed reliance on args.outputFile being mandatory.
Added fallback to sys.stdout if --outputFile is not provided.
7. Minor fixes
Disabled Paramiko's noisy internal logging.
Replaced deprecated or redundant exception-handling patterns.
Applied consistent spacing/indentation (converted all tabs to 4 spaces).
## Requirements
- Python 3.6+
- Paramiko (tested with v3.4.0+)
Install dependencies:
```bash
pip3 install -r requirements.txt
```
---
## Usage
### Basic
```bash
python3 open-ssh-ue.py <hostname> --userList wordlist.txt
```
### Full Example
```bash
python3 open-ssh-ue.py hostname \
--userList wordlist.txt \
--threads 10 \
--outputFile results.json \
--outputFormat json
```
---
## Arguments
### Positional
- `hostname`: The target SSH server IP or domain.
### Optional
- `--port`: SSH port (default is `22`)
- `--threads`: Number of concurrent threads (default is `5`)
- `--userList`: Path to a username list file (one username per line)
- `--username`: Test a single username
- `--outputFile`: Path to save results (optional; prints to terminal if omitted)
- `--outputFormat`: Output format: `list`, `json`, or `csv` (default: `list`)
---
## Output Formats
- `list`: Plain text per-username result
- `json`: Structured list of valid/invalid usernames
- `csv`: Comma-separated values
---
## Legal Disclaimer
Use this tool **only on systems you own or have explicit permission to test**.
Unauthorized use is illegal and unethical.
---
## Reference
- [CVE-2018-15473 – OpenSSH Username Enumeration](https://nvd.nist.gov/vuln/detail/CVE-2018-15473)
文件快照
[4.0K] /data/pocs/7ca0af8f23f7b83d8642db60c6ad6fbddccec923
├── [1.1K] LICENSE
├── [6.7K] open-ssh-ue.py
├── [2.7K] README.md
├── [ 16] requirements.txt
└── [ 445] wordlist.txt
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。