In this series the service delivery team writes about an outstanding talk they saw at a recent conference and implementing those lessons at scale.

One of the most exciting parts about continuous testing is the open door policy that exists with our customers. When a new piece of research comes out, we can verify and explore this issue across all internal and external customer networks simultaneously right away. This keeps our customers aware and protected against trending risk. That said, a big highlight for me this year at Defcon was HD Moore and Rob King’s talk titled SSHamble: Unexpected Exposures in the Secure Shell”. In true HDM fashion it included an eye-watering 90+ slides of knowledge (went by with ease), hunting an international criminal, 0 days, and a new open-source tool. Kudos to both Rob and HD for their incredible work.

The TLDR of the presentation is that the RunZero team analyzed a large portion of the SSH ecosystem and identified vulnerabilities across a wide range of implementations. It is probably no surprise that SSH is one of the most widely deployed services on the Internet. Additionally, their work provides some excellent best practices for implementing and defending the SSH service in your networks.

Finally, they also released an open-source tool called SSHamble to identify vulnerable implementations and scan SSH servers. Using SSHamble, we scanned all of our customers' internal and external environments for relevant issues.

Here were a few take aways in practice:

RCE in Ruckus

During the presentation the team disclosed an uncredited (as in patched without announcement or credit to them) remote code execution in Ruckus Wireless APs (see slide 60 in https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24_Moore_Secure_Shells_in_Shambles_Wednesday.pdf). The vulnerability is exploitable without authentication by inserting a command into the password field at login. Quite a few of our customers have Ruckus Wireless AP’s connected in their internal networks, and SSHamble picked up on this quickly. If you haven’t scanned internal networks for this one already — definitely check it out.

Port Forwarding Enabled

As part of the vulnerability collection, SSHamble will discover SSH servers with port forwarding and ”None Type” Authentication enabled. A good example would be an SSH service which presents a custom login screen like the following:

Custom Login Screen

In this case there is an initial “None” Authentication that allows the end user to communicate with the custom login screen via SSH but before they have fully authenticated. Consider if this system also allows for port forwarding. This combination allows us to bypass the host based firewall and make requests to any open port on the server.

The following command can be used to bypass the host firewall and access ports while the custom login screen sits:

ssh -L 9999:[REMOTE_IP]:[SECRET_PORT] [REMOTE_IP]

In a separate terminal, access the target’s [SECRET_PORT] via the local listener (9999):

curl localhost:9999

Fingerprinting for the Future

At Sprocket, we are always on the lookout for fresh exploits in existing products. Another nice thing about SSHamble is that it collects and stores all banners and helps with some known fingerprints for devices. In the future, we can easily pick up on products (looking at you, MoveIt SSH) and tailor our exploitation to them.

Conclusion

Although there is so much more to add about this research, I am going to end it here. Overall, we got some nice findings and other data from this work. Thanks again to Rob and HDM.

Whether your are on offense or defense, I would highly recommend testing out SSHamble and reviewing the slide deck below. In particular, slides 90-94 are all about mitigations and safe SSH deployments for your systems.

References

SSHamble: Unexpected Exposures in the Secure Shell Slide Deck: https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24_Moore_Secure_Shells_in_Shambles_Wednesday.pdf

SSHamble website: https://www.runzero.com/sshamble/