Bypass SSHv2 Authentication with help of libssh Flaw [CVE-2018-10933]

A vulnerability in libssh, a popular library for supporting the Secure Shell (SSH) authentication protocol, leaves thousands, if not more, of enterprise servers open to attacks.

The vulnerability allows an attacker to bypass authentication procedures and gain access to a server with an SSH connection enabled without having to enter the password.

An attacker can do this by sending the SSH server "SSH2_MSG_USERAUTH_SUCCESS" message instead of the "SSH2_MSG_USERAUTH_REQUEST" message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate.

Because of a coding error, when libssh receives the "SSH2_MSG_USERAUTH_SUCCESS" message, it will interpret this as the "authentication has already taken place" and will grant the attacker access to the local server.

The vulnerability, which is tracked as CVE-2018-10933, was introduced in libssh 0.6.0, released in January 2014. The libssh team released versions 0.8.4 and 0.7.6 yesterday to address this bug.

The bug was discovered by Peter Winter-Smith of NCC Group.

According to Amit Serper, head of security research at Cybereason, the library affects at least 3,000 servers, based on cursory search performed using the Shodan search engine.

The vulnerability is as bad as it gets in terms of coding, but it is not as bad as it gets in terms of impact on real-world computing.

The reason is that most servers, IoT devices, and personal computers prefer to implement SSH support via the openssh library instead of libssh.

One of the largest sites that supports libssh is GitHub, but the site's security team has already come forward to say they are not affected. GitHub uses libssh to provide an alternative SSH login method for enterprise customers. If GitHub's libssh-based login method was vulnerable, an attacker could have gained access to source code and intellectual property of the world's largest companies.

"We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933," the company said on Twitter.

The vulnerable code is only present in libssh's server-side code, meaning that having a libssh-based SSH client installed on your computer won't allow an attacker access to your system unless the client is also configured to run as an SSH server.

There are no public exploits available for CVE-2019-10993, yet, but they are trivial to put together, so they're most likely to pop up online in the following days.

Comments

My Life as Information security engineer Chapter 1: Tools

Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: http://www.piratesshield.com/2017/11/nmap-network-mapper-securtiy-scanner.html CURL and WGET curl is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget using to download files directly instead of opening and surfing the brow

AquaSec Container Security Solution ( DevSecOps ) - A quickView

What is AquaSec? The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed. Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail Sign In | Aqua (aquasec.com) How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The

What is IP Obfuscation ? How it's working ? how to use Cuteit tool ?

What is IP Obfuscation? Which is a method to hide or convert a doted format IP address (e.g. 192.168.192.2) into an Integer or Hexadecimal value or Octal form by using some mathematical formula. It’s a kind of method to spoof the human eyes and web security services. dot format to Decimal Conversion piratesshield.com 👉 [172.67.129.3] to translate (172 x256 3 )+(67×256 2 )+(129×256 1 )+(3×256 0 ) = 2890105091 Now you can use https://2890105091 to access piratesshield.com This is one of the ways to do IP Obfuscation. The tool ‘ Cuteit ‘ is A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command-line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload. HOW TO USE CUTEIT ? Download & Install Cuteit from the below link git : git clone https://github.com/D4Vinci/Cuteit.git Direct link: https://github.com/D4Vinci/Cuteit/archive/master.zip usage: Cu

PIRATESSHIELD

Search This Blog