Tectia SSH Server Authentication Bypass Remote 0day Exploit Demo

Timeline :

Vulnerability discovered by @kingcope
Vulnerability disclosed by @kingcope the 2012-12-01

PoC provided by :


Reference(s) :

Full Disclosure Mailing-list

Affected version(s) :

All versions of Tectia SSH Server

Tested on Centos 5.8 x86 with :

Tectia SSH Server

Description :

An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password.┬áThe bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.

Commands :

You're OpenSSH client should be patched with the diff file provided by kingcope in order to force the password reset request.

On the target :

uname -a
rpm -qi ssh-tectia-server-6.3.2-33

netstat -lntp

On the attacker :

uname -a

./ssh -lroot

12 thoughts on “Tectia SSH Server Authentication Bypass Remote 0day Exploit Demo

Comments are closed.