关联漏洞
标题:
OpenSSH输入验证错误漏洞
(CVE-2016-6515)
描述:OpenSSH(OpenBSD Secure Shell)是Openbsd计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 7.3之前的版本中的sshd中的auth-passwd.c文件中的‘auth_password’函数存在输入验证错误漏洞,该漏洞源于程序没有在密码验证中限制密码长度。远程攻击者可借助长的字符串利用该漏洞造成拒绝服务(CPU消耗)。
描述
OpenSSH remote DOS exploit and vulnerable container
介绍
# OpenSSH remote DOS
[](https://hub.docker.com/r/vulnerables/cve-2016-6515/)
Before 7.3 OpenSSH does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. This bug resides in ```auth-passwd.c``` in ```auth_password``` function.
Attackers can exploit this issue to cause the application to enter an infinite loop and consume excessive CPU resources, resulting in denial-of-service conditions.
### Vulnerable environment
To setup up an vulnerable invironment you just use the docker image
docker run --rm -it -p 8022:22 vulnerables/cve-2016-6515
### Exploit
To use this exploit you will need ```nodejs``` installed, clone this repo and install the dependencies with:
npm install
Then you can run the exploit
./exploit.js -h HOST -p PORT -u USER
If you run the image with the command described above, you can exploit it with
./exploit.js -h localhost -p 8022 -u root -i 100
### Patch
Update OpenSSH to 7.3
### Vulnerable Systems
* Ubuntu 16.04 LTS (If running 7.2)
* OpenSSH OpenSSH 7.2p2
* OpenSSH OpenSSH 7.2
* IBM Vios 2.2.1 4
* IBM Vios 2.2
* IBM Vios 2.2.4.0
* IBM Vios 2.2.3.50
* IBM Vios 2.2.2.5
* IBM Vios 2.2.2.0
* IBM Vios 2.2.1.3
* IBM Vios 2.2.1.1
* IBM Vios 2.2.0.13
* IBM Vios 2.2.0.11
* IBM OpenSSH for GPFS 3.5
* IBM Aix 7.2
* IBM AIX 7.1
* IBM AIX 6.1
* IBM AIX 5.3
### Credits
This flaw was found by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
### Disclaimer
This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.
文件快照
[4.0K] /data/pocs/d0dedde2c59e175533ac3995e95ca1ff9fa24307
├── [ 418] Dockerfile
├── [1.5K] exploit.js
├── [ 34K] LICENSE
├── [ 68] main.sh
├── [ 652] package.json
├── [4.0K] packages
│ ├── [573K] openssh-client_7.2p2-4ubuntu2.1_amd64.deb
│ └── [330K] openssh-server_7.2p2-4ubuntu2.1_amd64.deb
├── [2.2K] README.md
└── [2.5K] sshd_config
1 directory, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。