Timeout when trying to scan dropbear

[klaus-halfmann]

Installed Dropbear v2022.83 on an M1 mac via brew and started it as:

dropbear -E -B -R -p 2222
A12504469@T0013278b4 Hetzner % [45036] Dec 20 14:04:20 Running in background
[45070] Dec 20 14:04:54 Child connection from 127.0.0.1:53075
[45070] Dec 20 14:09:54 Exit before auth from <127.0.0.1:53075>: Timeout before auth

The TerrapinScanner (actually Terrapin_Scanner_MacOS_arm64_darwin) just runs in a timeout

% ./TerrapinScanner -connect localhost:2222
panic: error while reading packet length of binary packet: EOF

goroutine 1 [running]:
main.main()
    /home/fabian/GolandProjects/Terrapin-Scanner/main.go:314 +0x1e4

So I assume dropbear is not affected? If yes I would bounce this back to their project side.

[TrueSkrillor]

To the best of our knowledge, dropbear is affected. Actually, dropbear has already pushed support for strict key exchange into their GitHub repository (https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356), but has yet to be released. Can you confirm that you are using the latest version (which is v1.0.3)? There has been a similar issue (#1) which has already been fixed. If you can, I will dig into this further.

[klaus-halfmann]

./TerrapinScanner -help -> does not show any Version

I use the Terrapin_Scanner_MacOS_arm64_darwin downloaded https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.0.3

[TrueSkrillor]

Alright, I will have a look at this. And I just noticed that I forgot to add a way to print the current version of the tool.

[TrueSkrillor]

Okay, I guess I figured out what went wrong. We are signing and notarizing MacOS binaries so they can be executed without requiring additional steps on the user's system. While doing so, the binaries for v1.0.3 got confused with v1.0.2, yielding v1.0.2 binaries in the v1.0.3 release. I removed these for now, will let you know when an updated binary is available.

[TrueSkrillor]

MacOS binaries for v1.1.0 are now available. Please check whether your issue persists.

[klaus-halfmann]

./Terrapin_Scanner_MacOS_arm64_darwin -version
Terrapin Vulnerability Scanner v1.1.0

./Terrapin_Scanner_MacOS_arm64_darwin -connect localhost:2222
================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-dropbear_2022.83

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.
...

% dropbear -E -F -B -R -p 2222
[59831] Dec 21 06:58:46 Not backgrounding
[60119] Dec 21 07:02:28 Child connection from 127.0.0.1:56007
[60119] Dec 21 07:02:28 Exit before auth from <127.0.0.1:56007>: Exited normally

OK I consider this Bug fixed. Now need to check which version will fix this. at https://github.com/mkj/dropbear/tags

[TrueSkrillor]

You will have to build dropbear from master branch in order to support strict kex. Dropbear has yet to release an updated version (should become 2023.84). There is a release request here https://github.com/mkj/dropbear/issues/270.