关联漏洞
标题:
OpenSSH 信息泄露漏洞
(CVE-2016-6210)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.3之前版本中的sshd存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
描述
Custom exploit written for enumerating usernames as per CVE-2016-6210
介绍
# CVE-2016-6210-exploit
Custom exploit (python 2.7) written for enumerating usernames as per CVE-2016-6210 (OpenSSH 7.2-p2 & prior)
_should only be used on authorised systems_
## DESCRIPTION
I wrote this program as a tool to exploit CVE-2016-6210, which is a vulnerability in OpenSSH (before version 7.3) [disclosed by Eddie Harari](https://vuldb.com/?id.89622)
From what I understand, the problem is that the way OpenSSH worked in these versions means that when given a large password (in this case 25kb),
the hashing processing times mean that we can tell whether a username exists or not, as the amount of time is higher for valid users
This program helps to exploit this vulnerability by allowing the user to send a number of usernames (from a wordlist), and work out how long it took
to process them. The user can set an alert for an amount of time that suits them, and the time and username will be displayed if the processing time exceeds
this.
The user can also add an ip or email in order to test both the item in the list with and without the email addon at the end.
By default, (if not provided an appendage) the program will test each word in the wordlist in the forms _word_, and _word@IP_.
If provided an appendage, it will do the same, but replacing _word@IP_ with _word@appendage_.
The amount of times each word is sent and the response is timed can be customised, and the program will automatically generate an average
processing time which will then be used instead of individual times, for reliability purposes.
A delay can also be provided, preventing the program from sending too many delays too quickly.
As far as the ssh request code itself, credit goes to Eddie Harari for most of the code in `cveCode.py`: a modified version of Harari's code is used for sending and
calculating the timings. His advisory and sample code can be found [here](https://seclists.org/fulldisclosure/2016/Jul/51)
_Note: My code has only been black-box tested on OpenSSH-7.2p2 (client is kali linux), and needs further testing. The results and parameters
are controlled and interpreted by the user_
## USAGE
`python exploit_6210.py IP_ADDRESS [-h] [-a ALERT] [-w WORDLIST] [-e EMAIL] [-av ITERATE_AMOUNT] [-d DELAY]`
Where:
- IP_ADDRESS is the host that you are testing the program against
- -a ALERT (optional, default is 0.1) is the amount of time (in seconds) for which you would like an alert to be made if the processing time is larger
- -w WORDLIST (optional, default is usernamelist) is the filepath for the list of usernames you would like to test against the host
- -e EMAIL (optional) is the ip or email (which should look like: @IP_ADDRESS or @email.com) appendage you would like to try on the end of each element in the wordlist (note that both the item AND the item + email will be tried)
- -av ITERATE_AMOUNT (optional, default is 1) is the amount of times to query the ssh server for each given username, which allows more reliable averages for timings to be used (the higher the number, the longer it will take, by a LOT)
- -d DELAY (optional, default is 0.5) is the approximate delay (in seconds) between each request (the higher the number, the longer it will take, by A LOT)
文件快照
[4.0K] /data/pocs/612f47ccfe08530998f898d75ca314da6baa9545
├── [ 928] cveCode.py
├── [5.7K] exploit_6210.py
├── [ 0] __init__.py
├── [3.1K] README.md
└── [ 376] usernamelist
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。