LibSSH authentication bypass: CVE-2018-10933
So in this blog, we will be learning about the details regarding the
LibSSH authentication bypass: CVE-2018-10933 along with a demo on how to exploit it.
This Vulnerability was identified by Peter Winter and was released by LibSSH on 16th of October 2018 under the assigned CVE ID: CVE-2018-10933. He found a flaw in the server code which allowed the client to bypass the usual authentication process and gain root level access of the server.
Applications using LibSSH with versions above 0.6 and before 0.8.4 and before 0.7.6 are most likely to be vulnerable to this CVE. Some known applications using LibSSH:-
– KDE uses libssh for the sftp file transfers
– GitHub implemented their git ssh server with libssh
– X2Go is a Remote Desktop solution for Linux
– csync a bidirectional file synchronizer
– Remmina the GTK+/Gnome Remote Desktop Client
– XMBC a media player and entertainment hub for digital media
– GNU Gatekeeper a full featured H.323 gatekeeper
What is LibSSH?
According to the official documentation, LibSSH is a C library that enables you to write a program that uses the SSH protocol. With it, you can remotely execute programs, transfer files, or use a secure and transparent tunnel for your remote programs. The SSH protocol is encrypted, ensures data integrity, and provides strong means of authenticating both the server of the client. The library hides a lot of technical details from the SSH protocol, but this does not mean that you should not try to know about and understand these details.
It is to be noted that LibSSH shouldn’t be confused with OpenSSH or LibSSH2 as all of them are different.
This is the official statement released by LibSSH :
“libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.”
So to successfully carry out this exploit we need a server running the vulnerable version of LibSSH or we could directly download the box/server which is already running the vulnerable version of LibSSH. This particular server has been made by the Pentester Lab and can be downloaded from here. It’s an iso file so you can easily start this box with either VirtualBox or VMware. So first let’s check the IP address of the vulnerable machine. Type the command ifconfig to check out the IP of the box. So in our case, the victim’s IP is 192.168.0.100
Then move into your attacker’s machine( in my case I’ll be using Kali ). We will first initiate a Nmap Scan to confirm that the libssh is running. So type in the below command:
nmap -sV 192.168.0.100
So after confirming we will start with our exploit. We will make use of a simple python script that will do the job of exploitation for us. You can directly download the code from here : https://github.com/nikhil1232/LibSSH-Authentication-Bypassor you can copy it from below:
- So, first of all, we are creating a socket object and connecting to the server using the port and the host/IP specified.
- The paramiko.message.Message is used to create a new SSH2 message.
- Then we use paramiko.transport.Transport to create a new SSH session over an existing socket. This only creates the
Transportobject; it doesn’t begin the SSH session yet, so we use
start_clientto begin a client session as seen in the next line.
- Next, we are adding a few bytes to the SSH2 message by using the add_byte parameter and this is exactly where we are presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST which leads to the server initiating authentication.
- After which we are sending the message(_send_message) using the session created using the transport object.
- open_session is used in the next line to create a channel object which is used for data transfer.
- In the next line, we are using the exec_command instance and as the name suggests it executes a command on the SSH server.
- The makefile returns a file object and in the next few lines the contents are read and printed and the object is finally closed as well.
To use this script type in: python3 LibAuth.py –help to see all the options and parameters we need to use.
So we need to specify the victim’s IP address, port no and finally the command that we want to execute in the victim machine.
The Final command would be python3 LibAuth.py –host 192.168.0.100 -p 22 -c “uname -a”
You can try out different commands as you wish.
Extent Of this Vulnerability
Now coming to the vulnerability which in itself is quite severe as anyone can gain access to the victim server without any kind of authentication and along with that the simplicity with which an attacker can exploit it is quite alarming but in terms of numbers of machines/servers using this library of SSH is quite low. With that being said you can check out a few public servers using libssh by a very simple shodan search.
LibSSH has released two versions 0.8.4 and 0.7.6 in order to mitigate the issue so any user on updating to any of the two versions can fix it and protect its server from being exploited.
We started with some introductions and a few basics of LibSSH before moving forward to exploitation and the code walkthrough and then patching.
So that’s for now. See you next time. Goodbye
You can have a look at my previous article on Exploiting Apache Struts2 RCE Vulnerability. Here is the link of the article
Loved what you read?
If so, then kindly comment, follow and share our website for much more interesting stuff
For any queries please send a Hi to my Linkedin Handle: Here