SSH Tectia Server 6.0.4 to 6.0.20
SSH Tectia Server 6.1.0 to 6.1.12
SSH Tectia Server 6.2.0 to 6.2.5
SSH Tectia Server 6.3.0 to 6.3.2
Tested on Centos 5.8 x86 with :
SSH Tectia Server 6.3.2-33
This module exploits a vulnerability in Tectia SSH server for Unix-based platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request before password authentication, allowing any remote user to bypass the login routine, and then gain access as root.
set RHOST 192.168.178.34
set PAYLOAD cmd/unix/interact
An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.
You're OpenSSH client should be patched with the diff file provided by kingcope in order to force the password reset request.
On the target :
rpm -qi ssh-tectia-server-6.3.2-33
On the attacker :
./ssh -lroot 192.168.178.34