Authentication Bypass in Server Code for LibSSH# Authentication Bypass in Server Code
CVE-2018-10933
Versions 0.7.6 to 0.8.4
## Description
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
The bug was discovered by Peter Winter-Smith of NCC Group.
## Installation
A POC demo of this vulnerability exists as a docker image.
```bash
cd ./CVE-2018-10933/docker
docker-compose up
```
## Credits
Docker image and vulnerability based off of <a href="https://github.com/hackerhouse-opensource/cve-2018-10933" target="_blank">https://github.com/hackerhouse-opensource/cve-2018-10933</a>.
Description based off of <a href="https://www.libssh.org/security/advisories/CVE-2018-10933.txt" target="_blank">https://www.libssh.org/security/advisories/CVE-2018-10933.txt</a>.
CVE based off of <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10933" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2018-10933</a>.
The bug was discovered by Peter Winter-Smith of NCC Group.
Patches are provided by the Anderson Toshiyuki Sasaki of Red Hat and the libssh team.
[4.0K] /data/pocs/adda1c9fbc74480660d8f37fbee1a82f7640e8e6
├── [4.0K] docker
│ ├── [ 969] cve-2018-10933.patch
│ ├── [ 183] docker-compose.yml
│ ├── [1.2K] Dockerfile
│ ├── [412K] libssh-0.8.3.tar.xz
│ └── [ 513] server.patch
├── [4.0K] exploit
│ └── [ 422] exploit.py
└── [1.3K] README.md
2 directories, 7 files