Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh-publickey-acceptance does not work #2917

Closed
meme-lord opened this issue Aug 20, 2024 · 4 comments
Closed

ssh-publickey-acceptance does not work #2917

meme-lord opened this issue Aug 20, 2024 · 4 comments
Assignees

Comments

@meme-lord
Copy link

meme-lord commented Aug 20, 2024

Describe the bug
Running the ssh-publickey-acceptance NSE script gives false negative when testing my own public key against my own server.

To Reproduce

nmap -p 22 --script ssh-publickey-acceptance --script-args "ssh.usernames={'root'}, ssh.publickeys={'./id_rsa.pub'}" myserver.com

Expected behavior
Script should tell me the public key is accepted

Version info (please complete the following information):

  • OS:
Linux laptop 6.10.4-arch2-1 #1 SMP PREEMPT_DYNAMIC Sun, 11 Aug 2024 16:19:06 +0000 x86_64 GNU/Linux
  • Output of nmap --version:
Nmap version 7.95 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.4.6 openssl-3.3.1 libssh2-1.11.0 libz-1.3.1 libpcre2-10.44 libpcap-1.10.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
@meme-lord meme-lord added the Nmap label Aug 20, 2024
@nnposter nnposter added bug NSE and removed Nmap labels Aug 23, 2024
@nnposter
Copy link

One of the issues is rectified by #2919.

However, applying this fix seems to allow the execution to reach some other faulty code further down, when testing the actual authentication in publickey_canauth(), resulting in memory corruption.

@junedic
Copy link

junedic commented Aug 30, 2024

Looks to me like the session is freed at some point for valid user/key combinations and not handled correctly afterwards. Appears to fail in libssh2/src/userauth.c, line 1706 on LIBSSH2_FREE. I added a related check I found to the callback function, which seems to fix the issue.

@nnposter could you verify #2923 on top of your change?

@junedic
Copy link

junedic commented Aug 30, 2024

Simply returning 1 on callback also seems to be sufficient, so we hit the callback error check in userauth.c, line 1683 #2924

@junedic
Copy link

junedic commented Aug 30, 2024

What seems to be happening is the following:

  • invalid user/key combinations hit the conditional in userauth.c, lines 1625-1636, therefore failing authentication
  • valid user combinations proceed to set session->userauth_pblc_state = libssh2_NB_state_sent1
  • this confirms the combination is valid and triggers the condition in line 1646

Since this already confirms we "canauth()" I think it's safe to exit from the authentication process at this point by returning 1 from the callback and triggering the callback error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants