![]() First it establishes an encrypted connection with the OpenSSH server, and then it sends a malformed SSH2_MSG_USERAUTH_REQUEST (type publickey) message. ![]() This is exactly what the PoC Python script triggers. ![]() To summarize this chain of functions: when packet_get_string is used to extract a string from a message, a fatal exception can occur if the string is malformed, resulting in the termination of the OpenSSH process. Sshbuf_get_string_direct calls sshbuf_peek_string_direct:Īnd finally, sshbuf_peek_string_direct does the string validation:Įrror SSH_ERR_MESSAGE_INCOMPLETE (the message found in the log) is returned if the remaining data in the message is smaller than 4 bytes (and can thus not contain the length of the string) or if the remaining data in the message is smaller than the length of the string. Sshbuf_get_string calls sshbuf_get_string_direct: Now follows another chain of functions: function sshpkt_get_string calls sshbuf_get_string: Function fatal logs a fatal error event, and then terminates the spawned OpenSSH process, without sending back any message. This function relies on other functions:įirst there is a define to function ssh_packet_get_string:įunction ssh_packet_get_string calls function sshpkt_get_string, and if its return value is not 0, it calls function fatal. checking that the specified length can be correct. the most significant byte of the 4-byte integer is placed first, followed by the less significant bytes.įunction packet_get_string extracts a string from a message, while validating it, i.e. A string is composed of 4 bytes (the length of the string), followed by a variable number of bytes (equal to the length) containing the string. In SSH messages, strings are encoded as a length-value pair. Next it is followed by 2 strings: the algorithm and the key. This field is equal to 1 when the authentication type is publickey. The first field to be extracted is a boolean (1 byte), with function packet_get_char(). If a username exists, step 1 will be followed by the extraction of fields from the message. ![]() This can happen because of function packet_get_string: If this fails, because of malformed strings, the process will stop and close the connection, without sending back any message. After step 1, function userauth_pubkey retrieves strings from the message sent by the client. What clever persons figured out, is that it is possible to stop the execution of function userauth_pubkey between step 1 and 2. if known username with correct key -> 1.if known username with incorrect key -> 0.The logic of this function is the following: It is called when message SSH2_MSG_USERAUTH_REQUEST (type publickey) is received, after which the result is used to send back message SSH2_MSG_USERAUTH_FAILURE or SSH2_MSG_USERAUTH_SUCCESS to the client. It returns 0 when authentication fails, and 1 when authentication succeeds. Function userauth_pubkey is one of the implemented authentication functions, specific for authentication via public keys. The behavior of OpenSSH is, of course, defined in the source code. This is how the vulnerability in public key authentication can be exploited to disclose the validity of a user name. Notice the blue server packet at the end of the communication. When the PoC script is executed with a non-existing username:Īnd the server sends back a message to the client: client packet), there is no subsequent blue packet (i.e. ![]() Notice that the last packet is pink (i.e. This error can also be found in /var/log/auth.log:įailure to parse the message causes the closing of the connection between client and server without message from the server: One way to test the PoC, is to start the OpenSSH server in debug mode:Īfter, run the PoC script with an existing username: First fully parse the message, then communicate. Fixing the vulnerability is in essence simple: reverse the logic. The vulnerability exists because communication about the non-existence of a username occurs before fully parsing the message. This exploit is implemented in a Python PoC script. In case the user exists, failure to parse the message will abort the communication: the connection will be closed without sending back any message. If the user does not exist, an authentication failure message will be sent to the client. We take a close look at this vulnerability in public key authentication of Ubuntu’s OpenSSH implementation.īy sending a malformed public key authentication message to an OpenSSH server, the existence of a particular username can be ascertained. This vulnerability manifests itself in several authentication functions of OpenSSH. In this blog post, we take a closer look at this vulnerability and propose mitigation and monitoring actions. This vulnerability does not produce a list of valid usernames, but it does allow guessing of usernames. An OpenSSH user enumeration vulnerability ( CVE-2018-15473) became public via a GitHub commit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |