sshmitm.plugins.scp.inject_file module
A plugin for exploiting CVE-2019-6111, CVE-2019-6110, based on the vulnerability ‘SSHtranger Things’ of OpenSSH Client.
This class is a subclass of SCPForwarder and injects an additional file during SCP transmission by exploiting the OpenSSH Client vulnerability ‘SSHtranger Things’. This vulnerability has been patched in OpenSSH versions greater than 8.0p1. The exploitation process starts by parsing the SCP command and identifying whether the SCP client is downloading a file. If yes, the class instance is returned and the exploit method is called. The method exploits both CVE-2019-6111 and CVE-2019-6110.
- class sshmitm.plugins.scp.inject_file.SCPInjectFile(session)
Bases:
SCPForwarderInjects an additional file into an SCP download (CVE-2019-6111, CVE-2019-6110).
When an SCP client downloads a file from the server, this plugin exploits the SSHtranger Things vulnerability to silently deliver an extra file alongside the requested one. CVE-2019-6110 is used to hide the injection by sending ANSI escape sequences over stderr that erase the extra filename from the client’s terminal output.
The vulnerability was patched in OpenSSH 8.0p1. Clients running older versions or unpatched builds are affected.
Usage example
ssh-mitm server --scp-forwarder inject_file --scp-inject-file /path/to/inject.txt
Notes
Only triggers for SCP download operations (
scp -f). Upload sessions fall back to the transparentSCPForwarderautomatically.The injected file is sent to the client under its basename.
References: CVE-2019-6111, CVE-2019-6110, SSHtranger Things advisory
- Parameters:
session (
Session)
- __init__(session)
Resolves the inject-file path and reads its metadata.
- Parameters:
session (
Session) – the active SSH session being intercepted.
- exploit()
This method starts to exploit CVE-2019-6111 and CVE-2019-6110.
- Return type:
None
- hide_tracks()
This method exploits CVE-2019-6110: the client will display the text that we send to stderr, even if it contains ANSI escape sequences. We can send ANSI codes that clear the current line to hide the fact that a second file was transmitted.. Covering our tracks by sending ANSI escape sequence; complete stealth: x1b[1Ax1b[2K
- Return type:
None
- classmethod parser_arguments()
- Return type:
None
- process_data(data)
- Parameters:
data (
bytes)- Return type:
bytes