CVE-2012-6066
published 2012-12-04CVE-2012-6066: freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with…
PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.51%
98.4th percentile
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freesshd | freesshd | <= 1.2.6 | — |
| freesshd | freesshd | — | — |
| freesshd | freesshd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect freeSSHd authentication bypass by identifying SSH banner 'SSH-2.0-WeOnlyDo 2.1.3' or 'SSH-2.0-WeOnlyDo 2.0.6' on port 22; these specific versions are confirmed vulnerable. ↗
- →Alert on SSH connections that successfully authenticate using only a freshly generated ephemeral RSA key (2048-bit) with no prior key exchange history — characteristic of the bypass technique. ↗
- →Monitor for upload of 'nullevent.mof' to the WMI MOF auto-execution path (wbem/mof/) via SFTP, which is the post-exploitation persistence/execution technique used with this vulnerability. ↗
- →Detect VBS-based payload staging over SSH: look for sequences of base64-encoded VBS commands executed via SSH shell, consistent with CmdStagerVBS post-exploitation. ↗
- →Flag SSH login attempts using common default usernames (root, admin, Administrator, webadmin, sysadmin, netadmin, guest, user, web, test, ssh, sftp, ftp) against freeSSHd services, especially when authentication succeeds without a valid credential exchange. ↗
- ·The Metasploit module targets freeSSHd <= 1.2.6 and requires net/ssh gem to be installed; the bypass works against both password and public key authentication modes. ↗
- ·The VBS payload upload step can take up to 5 minutes; defenders should account for prolonged SSH session activity as a sign of staged payload delivery. ↗
- ·The exploit leverages the STUXNET WMI MOF execution technique for code execution after authentication bypass; detection should cover both the auth bypass and the subsequent MOF-based execution chain. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
freeSSHd 1.2.6 - Authentication Bypass (Metasploit)
exploitdb·2013-01-15
CVE-2012-6066 freeSSHd 1.2.6 - Authentication Bypass (Metasploit)
freeSSHd 1.2.6 - Authentication Bypass (Metasploit)
---
require 'msf/core'
require 'tempfile'
class Metasploit3 "Freesshd Authentication Bypass",
'Description' => %q{
This module exploits a vulnerability found in FreeSSHd MSF_LICENSE,
'Author' =>
[
'Aris', # Vulnerability discovery and Exploit
'kcope', # 2012 Exploit
'Daniele Martini ' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-6066' ],
[ 'OSVDB', '88006' ],
[ 'BID', '56785' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
],
'Platform' => 'win',
'Privileged' => true,
'DisclosureDate' => "Aug 11 2010",
'Targets' =>
[
[ 'Freesshd 0
))
register_options(
[
OptInt.new('RPORT', [false, 'The target port', 22]),
OptString.new('USER
Exploit-DB
freeSSHd 2.1.3 - Remote Authentication Bypass
exploitdb·2012-12-02
CVE-2012-6066 freeSSHd 2.1.3 - Remote Authentication Bypass
freeSSHd 2.1.3 - Remote Authentication Bypass
---
FreeSSHD all version Remote Authentication Bypass ZERODAY
Discovered & Exploited by Kingcope
Year 2011
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23080.zip
Run like:
ssh.exe -l
valid username might be:
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test
ssh
sftp
ftp
or anything you can imagine.
The vulnerable banner of the most recent version is:
SSH-2.0-WeOnlyDo 2.1.3
For your pleasure,
KingcopeFreeSSHD all version Remote Authentication Bypass ZERODAY
Discovered & Exploited by Kingcope
Year 2011
Run like:
ssh.exe -l
valid username might be:
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test
ssh
sftp
ftp
or anything you can
Exploit-DB
freeFTPd 1.2.6 - Remote Authentication Bypass
exploitdb·2012-12-02
CVE-2012-6066 freeFTPd 1.2.6 - Remote Authentication Bypass
freeFTPd 1.2.6 - Remote Authentication Bypass
---
FreeFTPD all versions Remote System Level Exploit Zero-Day -- No username needed, straightforward rooting!
Discovered & Exploited By Kingcope
Year 2011
--
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23079.zip
Example banner: WeOnlyDo-wodFTPD 2.3.6.165
This package includes all you need to successfully root any version of FreeFTPD:
* Modified version of ssh.exe (FreeFTPD authentication bypass)
* sftp.exe for connecting to the server
* nullevent.exe connect back shell that is uploaded to the server
* nullevent.mof file which is uploaded to the server to execute the connect back shell
* MSVCR100.dll that is needed by nullevent.exe
* scan logs for your pleasure!
We make use of the STUXNET technique to
Metasploit
Freesshd Authentication Bypass
metasploit
Freesshd Authentication Bypass
Freesshd Authentication Bypass
This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.
No writeups or analysis indexed.
2012-12-04
Published