aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
openssh/CVE-2018-15473/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.3 KiB

9
openssh/CVE-2018-15473/Dockerfile Normal file
View File

@@ -0,0 +1,9 @@
FROM vulhub/openssh:7.7
LABEL maintainer="phithon <root@leavesongs.com>"
RUN set -ex \
&& adduser --home /home/vulhub --shell /bin/bash --disabled-password --gecos "" vulhub \
&& echo "vulhub:vulhub" | chpasswd \
&& adduser --home /home/example --shell /bin/bash --disabled-password --gecos "" example \
&& echo "example:123456" | chpasswd

36
openssh/CVE-2018-15473/README.md Normal file
View File

@@ -0,0 +1,36 @@
# OpenSSH Username Enumeration (CVE-2018-15473)
[中文版本(Chinese version)](README.zh-cn.md)
OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a clientserver architecture.
CVE-2018-15473 is a medium-severity vulnerability affecting OpenSSH versions up to and including 7.7. This vulnerability allows user enumeration due to the system not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed. As a result, a remote attacker can test whether a certain user exists on a target OpenSSH server.
References:
- http://openwall.com/lists/oss-security/2018/08/15/5
- https://github.com/Rhynorater/CVE-2018-15473-Exploit
- https://www.anquanke.com/post/id/157607
## Vulnerable environment
Execute following commands to start a OpenSSH server 7.7p1:
```
docker compose build
docker compose up -d
```
After the server is started, you can log in to OpenSSH server by `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@your-ip -p20022` and password `vulhub`.
## Vulnerability reproduce
Use [CVE-2018-15473-Exploit](https://github.com/Rhynorater/CVE-2018-15473-Exploit) to enumerate usernames in the dictionary:
```
python3 sshUsernameEnumExploit.py --port 20022 --userList exampleInput.txt your-ip
```
![](1.png)
As you can see, `root``example``vulhub``nobody` are existing usernames, `rootInvalid``user``phithon` are non-existent usernames.

32
openssh/CVE-2018-15473/README.zh-cn.md Normal file
View File

@@ -0,0 +1,32 @@
# OpenSSH 用户名枚举漏洞CVE-2018-15473
OpenSSH 7.7前存在一个用户名枚举漏洞,通过该漏洞,攻击者可以判断某个用户名是否存在于目标主机中。
参考链接:
- http://openwall.com/lists/oss-security/2018/08/15/5
- https://github.com/Rhynorater/CVE-2018-15473-Exploit
- https://www.anquanke.com/post/id/157607
## 漏洞环境
执行如下命令编译及启动一个运行OpenSSH 7.7p1的容器:
```
docker compose build
docker compose up -d
```
环境启动后,我们在客户端执行`ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@your-ip -p20022`,输入密码`vulhub`,即可登录到容器中。
## 漏洞复现
使用[CVE-2018-15473-Exploit](https://github.com/Rhynorater/CVE-2018-15473-Exploit),枚举字典中的用户名:
```
python3 sshUsernameEnumExploit.py --port 20022 --userList exampleInput.txt your-ip
```
![](1.png)
可见,`root``example``vulhub``nobody`是存在的用户,`rootInvalid``user``phithon`是不存在的用户。

8
openssh/CVE-2018-15473/docker-compose.yml Normal file
View File

@@ -0,0 +1,8 @@
version: '2'
services:
sshd:
build: .
environment:
- ROOT_PASSWORD=vulhub
ports:
- "20022:22"