Libssh allow the attacker to access server without User details

Explaining libSSH CVE-2018-10933 flaw – Briefly explained

It is a very famous quote “Every security has a loophole”. We all know that every new security comes with new vulnerabilities. And when there is a vulnerability, there is someone who exploits it. If he is a bug hunter, he will simply report it and try to get rewards etc. But if he is a blackhat he will no doubt exploit the vulnerability and make his profit in his own way. This time the curse of vulnerability strikes libSSH. If you don’t know about libSSH. It’s a library which implements the SSH protocol in both client and server applications.

Peter Winter-Smith, a security consultant at NCC Group, discovered the authentication bypass flaw CVE-2018-10933 in libSSH. The vulnerability remained undisclosed for 5 years. Using CVE-2018-10933 flaw the attacker can gain easy access to the administrator of devices. The vulnerability targets the server-side state machine. The attacker can bypass authentication in the server code.

Explanation of libSSH vulnerability:

libssh vulnerability leads to access server without authentication
libSSH vulnerability leads to an access server without authentication

The attacker presents the server to a message SSH2_MSG_USERAUTH_SUCCESS instead of SSH2_MSG_USERAUTH_REQUEST. The server gets dodged. It expects the authentication instruction. This vulnerability leads to access all ssh servers based on the libSSH library. After this vulnerability wide range of servers is open.

This message sets the internal machines of libSSh to accept authentication. Libssh vulnerability results from the program code in the packet processing dispatch table. It is located in libssh\src\packet.c execute handlers for SSH2_MSG_USERAUTH_SUCCESS, even for servers. Further research shows that such errant processing of the message in libssh\src\auth.c causes the server to change the session state to authenticate!. This vulnerability is not for all ssh servers. It will work on the libSSH based server.

Cause of CVE-2018-10933 vulnerability:

The vulnerability was disclosed to the libSSH team in June. And it is fixed now. The new update has been released in October. Explaining the cause of the vulnerability, Winter-Smith says “the libSSH server and client share a state machine. So packets designed only to be processed by and update the client state can update the server state.” In practice, Winter-Smith said the most straightforward attack would be an authentication bypass. But the entire state machine is at flaw here so there may be other, more subtle, methods of exploitation.”

Salman Arif
Salman Arif Khan is the Founder of Sprotechs InfoSec. He's a Bug hunter. Cybersecurity researcher, Penetration tester and Developer for Sprotechs team.