LibSSH authentication bypass: CVE-2018-10933

Introduction

So in this blog, we will be learning about the details regarding the
LibSSH authentication bypass: CVE-2018-10933 along with a demo on how to exploit it.

This Vulnerability was identified by Peter Winter and was released by LibSSH on 16th of October 2018 under the assigned CVE ID: CVE-2018-10933. He found a flaw in the server code which allowed the client to bypass the usual authentication process and gain root level access of the server.

Affected Versions

Applications using LibSSH with versions above 0.6 and before 0.8.4 and before 0.7.6 are most likely to be vulnerable to this CVE. Some known applications using LibSSH:-

– KDE uses libssh for the sftp file transfers

– GitHub implemented their git ssh server with libssh

– X2Go is a Remote Desktop solution for Linux

– csync a bidirectional file synchronizer

– Remmina the GTK+/Gnome Remote Desktop Client

– XMBC a media player and entertainment hub for digital media

– GNU Gatekeeper a full featured H.323 gatekeeper
(from https://nakedsecurity.sophos.com/2018/10/17/serious-ssh-bug-lets-crooks-log-in-just-by-asking-nicely/)

What is LibSSH?

According to the official documentation, LibSSH is a C library that enables you to write a program that uses the SSH protocol. With it, you can remotely execute programs, transfer files, or use a secure and transparent tunnel for your remote programs. The SSH protocol is encrypted, ensures data integrity, and provides strong means of authenticating both the server of the client. The library hides a lot of technical details from the SSH protocol, but this does not mean that you should not try to know about and understand these details.

It is to be noted that LibSSH shouldn’t be confused with OpenSSH or LibSSH2 as all of them are different.

The Vulnerability

This is the official statement released by LibSSH :
“libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.”

Demo

So to successfully carry out this exploit we need a server running the vulnerable version of LibSSH or we could directly download the box/server which is already running the vulnerable version of LibSSH. This particular server has been made by the Pentester Lab and can be downloaded from here. It’s an iso file so you can easily start this box with either VirtualBox or VMware. So first let’s check the IP address of the vulnerable machine. Type the command ifconfig to check out the IP of the box. So in our case, the victim’s IP is 192.168.0.100

Then move into your attacker’s machine( in my case I’ll be using Kali ). We will first initiate a Nmap Scan to confirm that the libssh is running. So type in the below command:

nmap -sV 192.168.0.100 

 

So after confirming we will start with our exploit. We will make use of a simple python script that will do the job of exploitation for us. You can directly download the code from here : https://github.com/nikhil1232/LibSSH-Authentication-Bypassor you can copy it from below:

 

https://gist.github.com/nikhil1232/e3d690b7a960693d89af407ca2ef693a

Code Walkthrough

  1. So, first of all, we are creating a socket object and connecting to the server using the port and the host/IP specified.
  2. The paramiko.message.Message is used to create a new SSH2 message.
  3. Then we use paramiko.transport.Transport to create a new SSH session over an existing socket. This only creates the Transport object; it doesn’t begin the SSH session yet, so we use start_client to begin a client session as seen in the next line.
  4. Next, we are adding a few bytes to the SSH2 message by using the add_byte parameter and this is exactly where we are presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST which leads to the server initiating authentication.
  5. After which we are sending the message(_send_message) using the session created using the transport object.
  6. open_session is used in the next line to create a channel object which is used for data transfer.
  7. In the next line, we are using the exec_command instance and as the name suggests it executes a command on the SSH server.
  8. The makefile returns a file object and in the next few lines the contents are read and printed and the object is finally closed as well.

 

Usage

To use this script type in:  python3 LibAuth.py –help to see all the options and parameters we need to use.

So we need to specify the victim’s IP address, port no and finally the command that we want to execute in the victim machine.

The Final command would be python3 LibAuth.py –host 192.168.0.100 -p 22 -c “uname -a”

 

You can try out different commands as you wish.

Extent Of this Vulnerability

Now coming to the vulnerability which in itself is quite severe as anyone can gain access to the victim server without any kind of authentication and along with that the simplicity with which an attacker can exploit it is quite alarming but in terms of numbers of machines/servers using this library of SSH is quite low. With that being said you can check out a few public servers using libssh by a very simple shodan search.

 

Patching

LibSSH has released two versions 0.8.4 and 0.7.6 in order to mitigate the issue so any user on updating to any of the two versions can fix it and protect its server from being exploited.

Conclusion

We started with some introductions and a few basics of LibSSH before moving forward to exploitation and the code walkthrough and then patching.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Exploiting Apache Struts2 RCE Vulnerability. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

References:

https://pentesterlab.com/exercises/cve-2018-10933/course

https://github.com/kn6869610/CVE-2018-10933

https://www.youtube.com/watch?v=ZSWQjmfcn4g

http://docs.paramiko.org

 

For any queries please send a Hi to my Linkedin Handle: Here

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *