The user enumeration issue in OpenSSH [0] also exists in Dropbear 2018.76
and earlier; at least going back to w/v2013.58 (didn't test with earlier
versions yet). It is specifically related to this code in svr-auth.c [1]:
----- 8< ----- 8< ----- 8< ----- 8< -----
if DROPBEAR_SVR_PUBKEY_AUTH
/* user wants to try pubkey auth */
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
strncmp(methodname, AUTH_METHOD_PUBKEY,
AUTH_METHOD_PUBKEY_LEN) == 0) {
if (valid_user) {
svr_auth_pubkey();
} else {
/* pubkey has no failure delay */
send_msg_userauth_failure(0, 0);
}
goto out;
}
207
----- 8< ----- 8< ----- 8< ----- 8< -----
The PoC released for OpenSSH [2] also works against Dropbear - which seems
remarkable because both have an entirely different code base and the issue
is not due to SSH specs.
Because the issue can be abused to test both for SSH and non-SSH users, it
can be abused to enumerate installed services/software by testing for
default/known service users.
To test an SSH service on 127.0.0.1:22022 for user 'admin', the PoC can be
executed as follows:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
Architectural progress
amd64
)arm64
)armel
)ppc64
)powerpc
)