What puzzles me about this libssh vuln: 1) USERAUTH_REQUEST is used for specifying the user you want to authenticate as. If you don't send it, who are you authenticated as? 2) The patch (https://www.libssh.org/security/patches/stable-0.6_CVE-2018-10933.jmcd.patch01.txt …) introduces (not replaces!) state checking. Was there none before?https://twitter.com/dlitchfield/status/1052296941436989440 …
-
Show this thread
-
Mitja Kolsek Retweeted Andreas Schneider
Also, no need to freak out about this vuln:https://twitter.com/cryptomilk/status/1052286350379114496 …
Mitja Kolsek added,
1 reply 0 retweets 7 likesShow this thread -
Also, a question for
@metasploit who already have a module for this vuln: What is the SSH server type and configuration that this exploit works against? https://github.com/rapid7/metasploit-framework/blob/22503209d9b8aa0a0e21ed60d9a0af7f1f2182f4/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb …2 replies 0 retweets 1 likeShow this thread -
Replying to @mkolsek @metasploit
The libssh code comes with example SSH server code. e.g. in 0.7.5, I can run samplesshd-cb, and I can confirm on the server side "ssh_packet_userauth_success: Authentication successful" Not so with 0.7.6 However, I've not yet seen command execution or an interactive session.
1 reply 1 retweet 0 likes
I suspect that the sample sshd code from libssh isn't as fully-fledged as it needs to be. It's enough to demonstrate successful authentication at least. Aside from some IoT things visible via Shodan, I've not seen any libssh-based ssh server software. On any platform.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.