Timeout when trying to scan dropbear - Githubissues

RUB-NDS / Terrapin-Scanner

This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".

https://terrapin-attack.com

Apache License 2.0

947 stars 64 forks source link

Timeout when trying to scan dropbear #5

Closed klaus-halfmann closed 11 months ago

klaus-halfmann commented 11 months ago

Installed Dropbear v2022.83 on an M1 mac via brew and started it as:

dropbear -E -B -R -p 2222
A12504469@T0013278b4 Hetzner % [45036] Dec 20 14:04:20 Running in background
[45070] Dec 20 14:04:54 Child connection from 127.0.0.1:53075
[45070] Dec 20 14:09:54 Exit before auth from <127.0.0.1:53075>: Timeout before auth

The TerrapinScanner (actually Terrapin_Scanner_MacOS_arm64_darwin) just runs in a timeout

% ./TerrapinScanner -connect localhost:2222
panic: error while reading packet length of binary packet: EOF

goroutine 1 [running]:
main.main()
    /home/fabian/GolandProjects/Terrapin-Scanner/main.go:314 +0x1e4

So I assume dropbear is not affected? If yes I would bounce this back to their project side.

TrueSkrillor commented 11 months ago

To the best of our knowledge, dropbear is affected. Actually, dropbear has already pushed support for strict key exchange into their GitHub repository (https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356), but has yet to be released. Can you confirm that you are using the latest version (which is v1.0.3)? There has been a similar issue (#1) which has already been fixed. If you can, I will dig into this further.

klaus-halfmann commented 11 months ago

./TerrapinScanner -help -> does not show any Version

I use the Terrapin_Scanner_MacOS_arm64_darwin downloaded https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.0.3

TrueSkrillor commented 11 months ago

Alright, I will have a look at this. And I just noticed that I forgot to add a way to print the current version of the tool.

TrueSkrillor commented 11 months ago

Okay, I guess I figured out what went wrong. We are signing and notarizing MacOS binaries so they can be executed without requiring additional steps on the user's system. While doing so, the binaries for v1.0.3 got confused with v1.0.2, yielding v1.0.2 binaries in the v1.0.3 release. I removed these for now, will let you know when an updated binary is available.

TrueSkrillor commented 11 months ago

MacOS binaries for v1.1.0 are now available. Please check whether your issue persists.

klaus-halfmann commented 11 months ago

./Terrapin_Scanner_MacOS_arm64_darwin -version
Terrapin Vulnerability Scanner v1.1.0

./Terrapin_Scanner_MacOS_arm64_darwin -connect localhost:2222
================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-dropbear_2022.83

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.
...

% dropbear -E -F -B -R -p 2222
[59831] Dec 21 06:58:46 Not backgrounding
[60119] Dec 21 07:02:28 Child connection from 127.0.0.1:56007
[60119] Dec 21 07:02:28 Exit before auth from <127.0.0.1:56007>: Exited normally

OK I consider this Bug fixed. Now need to check which version will fix this. at https://github.com/mkj/dropbear/tags

TrueSkrillor commented 11 months ago

You will have to build dropbear from master branch in order to support strict kex. Dropbear has yet to release an updated version (should become 2023.84). There is a release request here https://github.com/mkj/dropbear/issues/270.