search

AOSC-Dev / aosc-os-abbs

ABBS/ACBS tree for AOSC OS package metadata, build configuration, scripts, and patches
https://packages.aosc.io
GNU General Public License v2.0
102 stars 80 forks source link

dropbear: CVE-2018-15599 #1353

Closed l2dy closed 6 years ago

l2dy commented 6 years ago

http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Hi all,

The user enumeration issue in OpenSSH [0] also exists in Dropbear 2018.76 and earlier; at least going back to w/v2013.58 (didn't test with earlier versions yet). It is specifically related to this code in svr-auth.c [1]:

----- 8< ----- 8< ----- 8< ----- 8< -----

if DROPBEAR_SVR_PUBKEY_AUTH

    /* user wants to try pubkey auth */
    if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
                    strncmp(methodname, AUTH_METHOD_PUBKEY,
                            AUTH_METHOD_PUBKEY_LEN) == 0) {
            if (valid_user) {
                    svr_auth_pubkey();
            } else {
                    /* pubkey has no failure delay */
                    send_msg_userauth_failure(0, 0);
            }
            goto out;
    }

207

----- 8< ----- 8< ----- 8< ----- 8< -----

The PoC released for OpenSSH [2] also works against Dropbear - which seems remarkable because both have an entirely different code base and the issue is not due to SSH specs.

Because the issue can be abused to test both for SSH and non-SSH users, it can be abused to enumerate installed services/software by testing for default/known service users.

To test an SSH service on 127.0.0.1:22022 for user 'admin', the PoC can be executed as follows:

$ python ssh-check-username.py --port 22022 127.0.0.1 admin

Credits to /u/dbzjegrw8o6n0 for posting an initial observation at /r/blackhat [3], which triggered a colleague and me to look into it.

Friendly regards, Matthijs Koot (Secura BV, the Netherlands)

[0] http://seclists.org/oss-sec/2018/q3/124 [1] https://github.com/mkj/dropbear/blob/master/svr-auth.c#L175-L188 [2] https://bugfuzz.com/stuff/ssh-check-username.py [3] https://www.reddit.com/r/blackhat/comments/97ywnm/openssh_username_enumeration/e4e05n2/

Architectural progress

MingcongBai commented 6 years ago

No fix yet (?).

l2dy commented 6 years ago

Cross-References: DLA-1476-1

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00

MingcongBai commented 6 years ago

Thanks.

MingcongBai commented 6 years ago

Fixed with https://github.com/AOSC-Dev/aosc-os-abbs/commit/7975e3c764184581ebec645d6b1140eef339faae. Closing.

l2dy commented 6 years ago

Use AOSA-2018-0391.