search

RUB-NDS / Terrapin-Scanner

This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
https://terrapin-attack.com
Apache License 2.0
931 stars 62 forks source link

Unable to scan ROSSH from version 7.12rc7 and up #1

Closed hilt86 closed 8 months ago

hilt86 commented 8 months ago

Thanks for making this tool! If you scan a routeros ssh service with a version number greater than 7.12 it throws and error : 

panic: error while reading packet length of binary packet: EOF

goroutine 1 [running]:
main.main()
    /home/ubuntu/go/pkg/mod/github.com/!r!u!b-!n!d!s/!terrapin-!scanner@v1.0.2/main.go:314 +0x1e4

I built Terrapin scanner from source using : 

go install github.com/RUB-NDS/Terrapin-Scanner@latest

with "go version go1.21.5 linux/arm64" on Ubuntu Jammy

Here is a table of the versions I tried (unknown means it throws that error above) : 

+---------+----------------+
| version | vulnerable     |
+---------+----------------+
| 6.49.6  | not vulnerable |
| 6.49.8  | not vulnerable |
| 7.12rc7 | unknown        |
| 7.11.2  | not vulnerable |
| 7.12.1  | unknown        |
| 7.13    | unknown        |
+---------+----------------+
TrueSkrillor commented 8 months ago

Thanks for the report; I will have a look at it tomorrow. It doesn't surprise me that the scanner can't scan all SSH implementations just yet, given the fact that it isn't a fully-fledged SSH implementation. The guess from my side would be that the server is waiting for the client to send its KEXINIT message (which it does not), although this is just speculation.

Is there a way to reproduce this issue without having to buy a Mikrotik router?

hilt86 commented 8 months ago

Yep if you DM me your IP on twitter I will open up ssh to your IP for testing

hilt86 commented 8 months ago

Alternatively you can download a VMDK / OVA from https://mikrotik.com/download (the the cloud hosted router images)

TrueSkrillor commented 8 months ago

Check your DMs. If you can provide me with a suitable host for testing, this will save me some time.

hilt86 commented 8 months ago

done!

TrueSkrillor commented 8 months ago

I successfully scanned the router you provided me using a similar setup (Ubuntu 22.04 server, go 1.21.5) - not vulnerable. This aligns with our communication during Responsible Disclosure, which included Mikrotik as a vendor. Can you recheck whether this issue is still present for you?

hilt86 commented 8 months ago

I get inconsistent behavior - one run returns the error while a subsequent run will return "not vulnerable"

On Tue, Dec 19, 2023 at 8:40 PM Fabian Bäumer @.***> wrote:

I successfully scanned the router you provided me using a similar setup (Ubuntu 22.04 server, go 1.21.5) - not vulnerable. This aligns with our communication during Responsible Disclosure, which included Mikrotik as a vendor. Can you recheck whether this issue is still present for you?

— Reply to this email directly, view it on GitHub https://github.com/RUB-NDS/Terrapin-Scanner/issues/1#issuecomment-1862520720, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADL3YFBYIV52KOYOEGGTWLYKFVKZAVCNFSM6AAAAABA2LN6NCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRSGUZDANZSGA . You are receiving this because you authored the thread.Message ID: @.***>

TrueSkrillor commented 8 months ago

Okay, that did the trick. Re-running the scanner multiple times will eventually cause it to run into something that seems like a timeout. Will dig into this.

TrueSkrillor commented 8 months ago

Okay, I believe this is fixed now. Please check v1.0.3 and see if this does the trick. I was able to successfully scan your server > 10 times without any issues. The issue was that the scanner used a bufio.Reader during banner exchange, but switched to io.ReadFull on the connection for the KEXINIT. Although calling the buffered reader with a delimiter, the underlying calls to the connection reader caused more bytes to be read if the KEXINIT was available. As the buffered reader was discarded, the received KEXINIT was discarded as well. The scanner now uses a single buffered reader (and writer) throughout the scan, avoiding accidentally discarding any bytes.

hilt86 commented 8 months ago

Thanks, it worked.

On Tue, Dec 19, 2023 at 10:37 PM Fabian Bäumer @.***> wrote:

Okay, I believe this is fixed now. Please check v1.0.3 and see if this does the trick. I was able to successfully scan your server > 10 times without any issues. The issue was that the scanner used a bufio.Reader during banner exchange, but switched to io.ReadFull on the connection for the KEXINIT. Although calling the buffered reader with a delimiter, the underlying calls to the connection reader caused more bytes to be read if the KEXINIT was available. As the buffered reader was discarded, the received KEXINIT was discarded as well. The scanner now uses a single buffered reader (and writer) throughout the scan, avoiding accidentally discarding any bytes.

— Reply to this email directly, view it on GitHub https://github.com/RUB-NDS/Terrapin-Scanner/issues/1#issuecomment-1862684073, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADL3YC2UNWG6PJEPY7U7BLYKGDBTAVCNFSM6AAAAABA2LN6NCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRSGY4DIMBXGM . You are receiving this because you authored the thread.Message ID: @.***>

BernhardGruen commented 8 months ago

Just a quick note: either v1.0.3 or v1.0.2 also fixed the scanning behaviour for ProFTPd + mod_sftp. There was a timeout too. Now I get a consistent result. Thank you very much!

TrueSkrillor commented 8 months ago

Most likely v1.0.3, the fix was not specific to ROSSSH but rather a general issue when KEXINIT was available during banner exchange. Will most likely affect a few other implementations as well.