Timeline :
Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01
PoC provided by :
kingcope
Reference(s) :
Affected version(s) :
All versions of Tectia SSH Server
Tested on Centos 5.8 x86 with :
Tectia SSH Server 6.3.2.33
Description :
An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.
Commands :
You're OpenSSH client should be patched with the diff file provided by kingcope in order to force the password reset request. On the target : ifconfig uname -a rpm -qi ssh-tectia-server-6.3.2-33 netstat -lntp On the attacker : ifconfig uname -a ./ssh -lroot 192.168.178.34
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec
RT @eromang: Tectia #SSH Server Authentication Bypass Remote #0day #Exploit Demo @kingcope http://t.co/8Zdtyjoa #infosec