Reading time ~4 minutes
Hunt for and Exploit the libSSH Authentication Bypass (CVE-2018-10933)
- 1. Find Hosts Running SSH
- 2. Identify hosts running libSSH
- 3. Identify hosts vulnerable to CVE-2018-10933
- 4. Exploitation
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.
The bug was discovered by Peter Winter-Smith of NCC Group.
Since then, many people started debating on Twitter about causes and impact. So here I want to writeup a practical guide which explains how to find hosts (in your network) vulnerable to the libSSH Authentication Bypass, and how to exploit them to gain shell access.
Scripts and Kibana Visualizations used in this article can be found on Github: https://github.com/marco-lancini/hunt-for-cve-2018-10933.
1. Find Hosts Running SSH
Let’s say you are in the middle of an engagement and want to find all hosts running
At this point you might have already run a few scans to identify open ports,
so the first step is to identify all ssh-based services.
I usually load all my nmap scan results to Offensive ELK,
which allows me to use Kibana to query and quickly sift through huge amounts of data.
In this case, I created a new visualization that allows me to export
PORT combinations to a CSV file:
- First, I added a filter to select only services with containing the keyword
- Second, I added a bucket where rows are split by the field
- Finally, I added a sub-bucket where rows are furtherly split by the field
This gave me a table like the one shown below, with a combination of
Next, I exported the table to CSV by clicking on the “Formatted” button at the bottom of the page.
Open the CSV file, delete the headers, and insert the following formula in cell
E1 to concatenate the
A) columns, with a space in the middle, so that later we can parse these strings with nmap:
Apply the formula to all cells in column
E, then export this column to a txt file for convenience (
2. Identify hosts running libSSH
ssh-hassh NSE script can be used to identify both the
hasshServer (i.e., SSH Server Fingerprint) and the
hasshServerAlgorithms for our target SSH servers.
Grab the NSE script and place it in the
scripts folder of your nmap installation (usually this should be located at
Next, we have to run the
ssh-hassh script against every host contained in our target list:
nmap --script ssh-hassh -p <PORT> <IP>
To speed up things I created a quick (and dirty) bash script to iterate through every line of the target list, as well as saving scan results to a folder:
Run it and let it do its job (it might take a while, depending on the size of your target list):
$ ./scan_hassh.sh targets.txt
3. Identify hosts vulnerable to CVE-2018-10933
On GitHub, an analysis of the Censys Public Scan to estimate the number of servers potentially vulnerable to this bug has already been published.
From this analysis, we can obtain the most common
hasshServer values for each
Here I reported a snapshot, but refer to the original Gist for updates:
|hasshServer||Server Identification String|
|bf8ae9cb26a1222fe7b9323edd6f8814||SSH-2.0-libssh-0.6.0, SSH-2.0-libssh-0.6.1, SSH-2.0-libssh-0.6.3|
|c251cb842064997a986c1bc145aec3bd||SSH-2.0-libssh-0.6.0, SSH-2.0-libssh-0.7.0, SSH-2.0-libssh-0.7.1|
We now just have to cross-check these fingerprints against our nmap scan results.
Probably, the quickest way consist in putting the
hasshServer values into a text file (
grep for them within the nmap results folder.
Here I created another quick bash script to automate this process:
The manual way
If you identify any vulnerable server, the libSSH-Authentication-Bypass repository contains a python script that will allow you to spawn to shell without any credentials by exploiting CVE-2018-10933.
Grab a copy of libsshauthbypass.py and run it against the vulnerable servers:
The Metasploit way
A new module has been added to Metasploit to exploit this issue: