From 2e010296afa4299e5b0e13ece97433955742cf58 Mon Sep 17 00:00:00 2001 From: nnposter Date: Sun, 16 Aug 2020 21:18:01 +0000 Subject: [PATCH] Prevent SSH2 KEX confusion. Fixes #2105 --- CHANGELOG | 3 +++ nselib/ssh2.lua | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index ed8ad5fd6..cdeb9e86e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ #Nmap Changelog ($Id$); -*-text-*- +o [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange + confusion [nnposter] + o [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter] diff --git a/nselib/ssh2.lua b/nselib/ssh2.lua index 8b0c3a86b..8ba6d9304 100644 --- a/nselib/ssh2.lua +++ b/nselib/ssh2.lua @@ -194,7 +194,7 @@ fetch_host_key = function( host, port, key_type ) local packet = transport.build( transport.kex_init( { host_key_algorithms=key_type, - kex_algorithms="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256", + kex_algorithms="diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256", } ) ) status = socket:send( packet ) if not status then socket:close(); return end @@ -213,6 +213,9 @@ fetch_host_key = function( host, port, key_type ) local kex_algs = tostring( kex_init.kex_algorithms ) local kexdh_gex_used = false local prime, q, gen + -- NB: For each KEX prefix used here, make sure that all corresponding + -- algorithms are listed in the transport.kex_init() call above. + -- Otherwise this code might proceed with an incorrect KEX. if kex_algs:find("diffie-hellman-group1-", 1, true) then prime = prime2 q = 1024