Skip to content

Latest commit

 

History

History

CVE-2019-17498

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
client
client
 
 
deprecated
deprecated
 
 
exploit
exploit
 
 
Dockerfile
Dockerfile
 
 
Libssh2.md
Libssh2.md
 
 
README.md
README.md
 
 
exploit.sh
exploit.sh
 
 
run.sh
run.sh
 
 

README.md

CVE-2019-17498

About

Details

The source location of the vulnerability is packet.c:480:

if (message_len < datalen-13) {

The value of datalen is untrusted because it came from the remote computer. If datalen == 11, for example, then the subtraction will overflow and the bounds-check of message_len is ineffective, leading to an out-of-bounds read on line 485.
When the client attempts to connect to server, the server sends back a malicious response which triggers a segmentation fault in the client.

PoC / Exploit

Environment used

  • Ubuntu 18.04.3 LTS
  • libssh2 1.82

Reproduction

  • Server

    • Docker version:
    docker run -p8022:22 -it simaofsilva/cve-2019-17498
    • Script version:
    sudo bash run.sh

  • Client

docker run -it -e "ip=<Server IP>" -e "port=8022" simaofsilva/cve-2019-17498-client

The result should be a message with "Segmentation fault". This happens due to an error checking the message length.

Note: In case of running both Server and Client on the same machine please change the PORT variable in the client Dockerfile to 22.