what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Dropbear SSHD xauth Command Injection / Bypass
Posted Mar 15, 2016
Authored by INTREST SEC

Dropbear sshd versions 2015.71 and below suffer from a command injection vulnerability via xauth. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. This attack requires the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.

tags | exploit, arbitrary, bypass
advisories | CVE-2016-3116
SHA-256 | 8129326c102e22e1da62a2fd903c2546c85eba1fd49af454ec0eeb8768c919e3

Related Files

OpenSSH Local Privilege Escalation
Posted Dec 23, 2016
Authored by Jann Horn, Google Security Research

OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation is disabled, then on the server side, the forwarding is handled by a child of sshd that has root privileges. For TCP server sockets, sshd explicitly checks whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if so, requires the client to authenticate as root. However, for UNIX domain sockets, no such security measures are implemented. This means that, using "ssh -L", an attacker who is permitted to log in as a normal user over SSH can effectively connect to non-abstract unix domain sockets with root privileges. On systems that run systemd, this can for example be exploited by asking systemd to add an LD_PRELOAD environment variable for all following daemon launches and then asking it to restart cron or so. The attached exploit demonstrates this - if it is executed on a system with systemd where the user is allowed to ssh to his own account and where privsep is disabled, it yields a root shell.

tags | exploit, shell, root, tcp
systems | unix
advisories | CVE-2016-10010
SHA-256 | e76185809315ccb4de20af9908f94cf1d0c88a604c2850502c670e5b10961415
Red Hat Security Advisory 2016-2588-02
Posted Nov 4, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2588-02 - OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.

tags | advisory, arbitrary, local, root, protocol
systems | linux, redhat, unix
advisories | CVE-2015-8325
SHA-256 | e42f57140a7efe5fbed26ea299866c70053ee97e49db3eaf4d90707a4f1db249
Debian Security Advisory 3626-1
Posted Jul 24, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3626-1 - Eddie Harari reported that the OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users.

tags | advisory, remote
systems | linux, debian
advisories | CVE-2016-6210
SHA-256 | 2f863fa4086db0a31226d56604fd7475efd80aac9d83230c52c988d3925ce6d0
OpenSSHD 7.2p2 User Enumeration
Posted Jul 21, 2016
Authored by 0_o

OpenSSHD versions 7.2p2 and below remote username enumeration exploit.

tags | exploit, remote
SHA-256 | 2f182c8354b3885f9f53dee4dfd49de6b64a388306dc36b6cf716adfc0ef8ac9
OpenSSHD 7.2p2 User Enumeration
Posted Jul 18, 2016
Authored by Eddie Harari

OpenSSHD versions 7.2p2 and below user enumeration exploit.

tags | exploit
advisories | CVE-2016-6210
SHA-256 | b69a28b747a4fe5a117cdc11aded97dd15df51cde6788bd96001aa8f57bc36a6
Debian Security Advisory 3550-1
Posted Apr 15, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3550-1 - enabled and the sshd PAM configuration is configured to read user- specified environment variables and the "UseLogin" option is enabled, a local user may escalate her privileges to root.

tags | advisory, local, root
systems | linux, debian
advisories | CVE-2015-8325
SHA-256 | 374089592e1cd2eb80c2dec50b28b14a5c1a6f12066de2e2c148453d945875cf
Red Hat Security Advisory 2016-0466-01
Posted Mar 22, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-0466-01 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.

tags | advisory, remote, protocol
systems | linux, redhat, openbsd
advisories | CVE-2015-5600, CVE-2016-3115
SHA-256 | 93381a3609cbd40ea19fd90f3d6532393c3c33d49bf30bab516193963789fd55
Red Hat Security Advisory 2015-2088-06
Posted Nov 20, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2088-06 - OpenSSH is OpenBSD's SSH protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.

tags | advisory, arbitrary, root, protocol
systems | linux, redhat, openbsd
advisories | CVE-2015-5600, CVE-2015-6563, CVE-2015-6564
SHA-256 | 969133ceccf94cfbbd19259f9b16682286538b1be6ef824cd26361a6825383a7
freeSSHd 1.3.1 Denial Of Service
Posted Aug 28, 2015
Authored by 3unnym00n

freeSSHd version 1.3.1 suffers from a denial of service vulnerability.

tags | exploit, denial of service
SHA-256 | 394f6434e00eb05d1952d269485e3c3a636bd930a41c5b68ab983b352e8c2632
FreeBSD Security Advisory - OpenSSH Issues
Posted Aug 26, 2015
Site security.freebsd.org

FreeBSD Security Advisory - A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.

tags | advisory
systems | freebsd
SHA-256 | 3a8b1bfd85b5a339a84d61427764656f8de8bc6b1e993e98a5732638aac6f504
Mandriva Linux Security Advisory 2015-095
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-095 - sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate.

tags | advisory, remote
systems | linux, mandriva
advisories | CVE-2014-2532, CVE-2014-2653
SHA-256 | 704f97d77be07b02b98aa395298a8190003a67ae5101733fa1d6b66750ddbc2a
FreeBSD Security Advisory - sshd Denial Of Service
Posted Nov 5, 2014
Site security.freebsd.org

FreeBSD Security Advisory - Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process.

tags | advisory
systems | freebsd, osx
advisories | CVE-2014-8475
SHA-256 | 8268d282b64535e24bba05832891f3e53bd3a51e05846e68a5926dd47bf5e566
OpenSSL 6.7p1 bl0wsshd00r67p1 Backdoor
Posted Oct 23, 2014
Authored by Bl0w

bl0wsshd00r backdoors OpenSSH 6.7p1 with a magic password for any user, sniffs and records traffic, and mitigates logging to lastlog/wtmp/utmp.

tags | tool, rootkit
systems | unix
SHA-256 | 17bb28d0c4a3e2058cf728936b45586915c671f6cadd0920f2e695332adabeb7
Mandriva Linux Security Advisory 2014-068
Posted Apr 9, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-068 - sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate.

tags | advisory, remote
systems | linux, mandriva
advisories | CVE-2014-2532, CVE-2014-2653
SHA-256 | 0cf7a48470f92f54508eabbd4f9e1e0ae23f32cf46918fd1489cc6e856cf1a08
Ubuntu Security Notice USN-2104-1
Posted Feb 13, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2104-1 - Florian Sagar discovered that the LXC sshd template set incorrect mount permissions. An attacker could possibly use this flaw to cause privilege escalation on the host.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2013-6441
SHA-256 | 55cee8e599573f7517c6322a49989c4e8be7e8bd614c71c20266b479497f168a
Red Hat Security Advisory 2013-1591-02
Posted Nov 21, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1591-02 - OpenSSH is OpenBSD's Secure Shell protocol implementation. These packages include the core files necessary for the OpenSSH client and server. The default OpenSSH configuration made it easy for remote attackers to exhaust unauthorized connection slots and prevent other users from being able to log in to a system. This flaw has been addressed by enabling random early connection drops by setting MaxStartups to 10:30:100 by default. For more information, refer to the sshd_config man page. These updated openssh packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes, linked to in the References, for information on the most significant of these changes.

tags | advisory, remote, shell, protocol
systems | linux, redhat, openbsd
advisories | CVE-2010-5107
SHA-256 | a4f28ff7392407cc2b25c64fb8ce70d6d9dd9cbe74095327d51804e531223977
FreeBSD Security Advisory - OpenSSH AES-GCM Memory Corruption
Posted Nov 19, 2013
Site security.freebsd.org

FreeBSD Security Advisory - A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during key exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account.

tags | advisory, shell, code execution
systems | freebsd
advisories | CVE-2013-4548
SHA-256 | 878536e73df64b2ee9e3165866803aec2f9d6c286c5bb0c627ff2c9aed8e06fe
OpenSSH 6.3 Memory Corruption
Posted Nov 8, 2013
Authored by Markus Friedl | Site openssh.com

A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. OpenSSH versions 6.2 and 6.3 are affected when built against an OpenSSL that supports AES-GCM.

tags | advisory, shell, code execution
SHA-256 | 5a14ae6163dbd1bc2080d2d9e5abbece4f4a06fb6c639b17aeb2e9819c2b20d2
Mikrotik RouterOS 5.x / 6.x SSHd Heap Corruption
Posted Sep 3, 2013
Authored by Kingcope

Mikrotik RouterOS versions 5.x and 6.x suffer from an sshd remote pre-authentication heap corruption vulnerability. Included is a 50 meg Mikrotik package that includes all research items.

tags | exploit, remote
systems | linux
SHA-256 | 74610d5d75efcfb4a984b83085a1bd9e64779bd5d156fb3a81b92d7bb3439349
Mandriva Linux Security Advisory 2013-022
Posted Mar 13, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-022 - The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service by periodically making many new TCP connections. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, shell, tcp
systems | linux, mandriva
advisories | CVE-2010-5107, CVE-2012-0814
SHA-256 | bee473f9707063a23fbf49f1f2986f75bfe44988e5231b688428c1c9f062130b
FreeSSHd 1.2.6 Authentication Bypass
Posted Jan 15, 2013
Site metasploit.com

This Metasploit module exploits a vulnerability found in FreeSSHd versions 1.2.6 and below to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.

tags | exploit, root
advisories | CVE-2012-6066, OSVDB-88006
SHA-256 | 0272e1bc1c0f2058ce2f21fa14e3a0637074e73625db7d48068910d45f94ec8d
FreeSSHD Remote Authentication Bypass
Posted Dec 3, 2012
Authored by Kingcope

FreeSSHD suffers from a remote authentication bypass vulnerability.

tags | exploit, remote, bypass
SHA-256 | 0f3bd20a3e70422b385aedbcf9be79dcffb498416d75c29e1820bbafa68dab21
RaspberryPi Image Occidentalis 0.1 Default Credentials
Posted Aug 4, 2012
Authored by Larry W. Cashdollar

The RaspberryPi Occidentalis version 0.1 image spawns sshd by default without prompting users to change their credentials, leaving their systems accessible via root/root default credentials.

tags | exploit, root, info disclosure
SHA-256 | 656c7ec055e2f82105589240af2b020366360c6deae390094ae0d32f88f6c389
Fake sshd Tool
Posted Jan 17, 2012
Authored by James Stevenson | Site stev.org

This is a fake sshd which can be used to log common login attempts which are typically used by scammers / spammers / script kiddies to attempt to gain access to servers. It does not modify OpenSSH and uses libssh instead. There is no valid way to login to a shell, can be used to tarpit / delay attackers and can be used to steal the entries used in a dictionary attack.

tags | tool, shell, encryption
SHA-256 | 2cae65ecac170b8d18902634e1d32ed99b5ad3fc094c4e1979ffdde16083f3ed
FreeSSHd Remote Denial Of Service
Posted Dec 25, 2011
Authored by Level

FreeSSHD remote denial of service proof of concept exploit.

tags | exploit, remote, denial of service, proof of concept
SHA-256 | 64ef29a432819a28b41d8f37b7d65cc811d1a982933c6caf1642e4ced0608e7a
Page 1 of 4
Back1234Next

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close