Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-6111 PoC — OpenSSH 路径遍历漏洞

Source
https://github.com/mbadanoiu/MAL-008
Associated Vulnerability
Title:OpenSSH 路径遍历漏洞 (CVE-2019-6111)
Description:An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
Description
Case Study: SSHtranger Things (CVE-2019-6111, CVE-2019-6110) in Cisco SD-WAN
Readme
# MAL-008: SSHtranger Things (CVE-2019-6111, CVE-2019-6110) in Cisco SD-WAN

Cisco SD-WAN v20.4.2.1 uses an old version of SSH (OpenSSH_7.6p1) that is susceptible to the “SSHtranger Things” attack. If a victim tries to connect to a malicious/compromised SSH server this attack may be used to write/overwrite sensitive files.

By overwriting sensitive script files (e.g. “.bashrc”) this may allow an unauthenticated attacker to obtain Remote Code Execution (RCE) on the victim’s system.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://bst.cisco.com/quickview/bug/CSCwb16963).

### Requirements:

This vulnerability requires:
<br/>
- Successful SSH MITM
  <br/>OR
- Social engineering to convince a legitimate SD-WAN user to connect to a malicious SSH server

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/MAL-008/blob/main/Cisco%20SD-WAN%20-%20SSHtranger%20Things.pdf).

### Additional Information:

[PoC for CVE-2019-6111 and CVE-2019-6110](https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2)
File Snapshot

 [4.0K]  /data/pocs/5aacb2f6b35739f561a03a46b11a74c373928956
├── [796K]  Cisco SD-WAN - SSHtranger Things.pdf
└── [1.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →