Libssh any vulnerable server (CVE-2018-10933)?

hacking

#1

I’m trying to exploit libssh vulnerability and ignoring an installation of libssh in local do you know an online server to make tries with this vulnerability?


(Security Architect & Founder) #2

This probably deserves its own article.

The vulnerability known as CVE-2018-10933 is largely overhyped, many memes have been made about it and infact it has been confused with its bigger brother, openssh.

Libssh only really affects about 3000 devices on the entire internet, which isn’t very much considering there are millions of devices on the open internet.

You can test a vulnerable libssh box here:

You just need to ensure that the patch is not applied.

One example of a script is this:

Although I have not been able to pop a shell from this yet in my testing. Has anybody else had more mileage than me?

Hackerfantastic seems to be able to get a shell with the metasploit module

I’d be really interested to see others progress on this vuln, its theoretically vulnerable, but I’ve not been able to crack it yet.


(Zain) #3

I’ve seen this kind of stuff also on twitter. It’s probably really rare like a Pokeman… XD

With jokes aside… I haven’t tried so not been able to help that much. I can probably look online and see if I can find a PoC or a paper on it if anyone is interested in it?

~Cheers!

–Techno Forg–


(Occupi) #4

I was just reading about this vulnerability but as soon as they mentioned that it’s not the standard SSH that’s affected I kinda glazed over. It’s still very interesting if you can find the right device as @pry0cc said but you’re better off setting up a vulnerable instance of your own to try it out since the sample size is so small in the wild.

What I found interesting about the above article was a quote from F5 Networks:

F5 Networks has told BleepingComputer that “Customers can mitigate the vulnerability by using password and keyboard interactive authentication as opposed to public key authentication with the BIG-IP AFM SSH proxy feature.”

Now I’m assuming these devices would be behind other gates or forms of authentication, but I thought the popular opinion was to move away from username/passwords on devices where you could enable SSH key auth instead. Just seems like bad advice to be handing out as a “mitigation”.

But if you really want to do some scanning to find vulnerable hosts…

And finally, proof of concept exploit written in python:


#5

I think the metasploit module @hackerfantastic is using works only against libssh with removed additional checks. (Pretty FUD if you ask me :frowning: ) From what I know there is no way to spawn a shell without those modifications.


(Security Architect & Founder) #6

Yeahhh. I’m starting to notice that.

As with the case of F5, you can theoretically pwn many other devices that do not include libssh in their banner, such as the scanner from Leap Security / Jbroche that does banner grab.

For example there are likely other embedded devices using Libssh that do not shout about it, but are still using it on the backend. This means that potentially many more devices are vulnerable to this flaw.

However, I think it has definitely been overhyped, people have been hearing this “SSH RCE”, which in fact is half true, and only really exciting if you’re talking openssh, which this doesn’t affect.

I have heard though that you can use it to pivot through, although I’ve not seen any PoC that proves this yet.


#7

Thanks for all infos guys now I’m understanding why I was not able to exploit this vulnerability. Anyway I’m gonna test that GitHub vulnerable docker…


(fxbg) #8

When I first saw this earlier this week I got excited, but then my excitement dies when I realized that 99% or ssh stuff I found was patched (or just was never even vulnerable).

I think this got more attention than it deserved, but I’ve been wrong before.


#9

I’m trying with https://github.com/hackerhouse-opensource/cve-2018-10933 and it works in local for me… check out and test with this my own modified working script here: https://github.com/Virgula0/POC-CVE-2018-10933

68747470733a2f2f692e696d6775722e636f6d2f6f48476f4373582e706e67


(Zain) #10

This is extremely useful. I will look into setting up a attack vector or something along those lines. Of course in my own network. :slight_smile:


(Zain) #11

Alright, so after examining a few scripts… I’ve discovered several factors to try to exploit it.

  1. anything greater than 0.7.6 and greater than 0.8.4 are not affected hence the low amount of possible vulnerable machines.

  2. Basically all you gotta do is send: MSG_USERAUTH_SUCCESS

This is actually done in python with this snippet of code:

msg.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)

I’m not advance enough to do this with paramiko, but I’m assuming you just send it in bytes or something like that. I’m not 100% sure, but this is what I’m assuming via the scripts provided on the interweb.

Hope this helps. ~Cheers!

–Techno Forg–


(Security Architect & Founder) #12

This script looks dope, have you modified your docker build in anyway from stock?

Guessing you’ve enabled portforwarding?


#13

I’m trying all in local so it’s useless port forward, I can make a try but it should work anyway and nope I didn’t modified docker build. It’s strange that it doesn’t work for you. I made this script few days ago but only now it definitely works.
@Techno_Forg What you wrote it’s correct but assumed like known from the opening of this topic. Problem was to make a statistic about the severity of vulnerability and it’s very low as we can see. Also searching on Shodan I was not able to find any vulnerable target/s


(Security Architect & Founder) #14

Perhaps it is how I am doing it.

I’m running against 127.0.0.1:2222, is this what you’re doing?


(Security Architect & Founder) #15

Perhaps it is how I am doing it.

I’m running against 127.0.0.1:2222, is this what you’re doing?


(Zain) #16

I understand that… the issue from IRC is getting a shell, no?

Also, found this:

“Another limitation: only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected.”

According to this article, shodan showed 6,351 sites using libssh. I would think this is just a matter of figuring out which ones are vulnerable to it.

I’m basically gonna quote the rest of the article, but:

“Winter-Smith agreed. “I suspect this will end up being a nomination for most overhyped bug, since half the people on Twitter seem to worry that it affects OpenSSH and the other half (quite correctly!) worry that GitHub uses libssh, when in fact GitHub isn’t vulnerable,” he said. “Remove GitHub and my guess is you’ll be left with a small handful of random sftp servers or IoT devices and little else!””

I’m kind of loling right now.

P.S. I’m also trying to clarify for everyone else.

If need be, I can quickly hack together a shodan script and other goodies.


(Zain) #17

I’m assuming that there’s something missing from what you’re doing. Don’t know what though since I’m not there on your machine (and thank God for that :wink: ). :confused:


#18

If total servers on Shodan are only 6.000 and only 3000 are vulnerable , so someone that have credits on Shodan could search and download till 10.000 result for credit , so with 1 credit we can get all available servers then, with a bash script and a loop we can test each server with my script, or alternatively I can modify my script itself introducing this new function. I don’t have credits else I would already done by myself.
@pry0cc yeah I’m running on 127.0.0.1:2222… did you run ./build.sh (with docker already installed) and then every time you try to use this vulnerability do you run ./run.sh command leaving the listening server? You can also try to download a vulnerable version from libssh site and then compile it with cmake, then return to the first step from ./build.sh. Nothing of docker is modified


(Occupi) #19

I have credits but I what search parameters am I using? Trying out the libssh banners produced nothing for me.


#20

https://www.shodan.io/search?query=product%3Alibssh
parameter is: product:libssh but I don’t know why only 3,553 servers are shown and/or found.
with only libssh query servers looks like 6000 https://www.shodan.io/search?query=libssh