Vulnerability in freeSSHd

The following article is a proof of concept for CVE-2018–9853 a vulnerabilty in the latest version of freeSSHd (1.3.1).

We will highlight how insecure access control in freeSSHd version 1.3.1 allows attackers to obtain the privileges of the freesshd.exe process by leveraging the ability to login to an unprivileged account on the server.

Proof of Concept

Let’s start with a clean install of freeSSHd on any version of windows, here we demonstrate Windows 7. The #1 search result for “ssh server on windows 7” is a TechRepublic article, assuming most users will be following said article we will as well. Below is a new install of freeSSHd version 1.3.1:

Default install of latest version of freeSSHd

As you can see, as soon as the application is opened the SSH server starts running. Now we will create windows users and add them to freeSSHd:

Creating the user accounts

In the picture above, we have created a user named standardaccount and did not add them to the administrators group. However, when we log in with putty in the next few images you will see standardaccount is able to run commands as an administrator.

Logging in with standardaccount

We are now ssh’d into the machine under the standardaccount credentials; however, this account has full administrative permissions as required by the first two commands below:

Running elevated commands

What is interesting is that the command “whoami” displays “win7client\testadmin” the user that launched the process. Whoever logs into the ssh server has the rights of said admin, whether they are an admin themselves or not. This concludes the proof of concept, now for a few more details:

freeSSHd has not received an update in several years, like any outdated software it is not recommended that it still be used. Instead there are alternatives like OpenSSH and bitvise. This vulnerability may still be impactful because freeSSHd is still distributed on their website and through the popular windows package manager chocolatey. On chocolatey alone, freesshd has 10,487 downloads in the last 3 years. Any of these servers that are currently running are vulnerable to this exploit unless they are configured to run as a service.

For additional content, follow me on Twitter: @TheWindowsTwin