Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125412 - Dropbear SSH server Denial of Service
Summary: Dropbear SSH server Denial of Service
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-07 16:02 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2006-03-08 00:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-03-07 16:02:08 UTC
From: Pablo Fernandez <pablo@littleQ.net>
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Date: Tue, 07 Mar 2006 19:47:57 +0000
Subject: Dropbear SSH server Denial of Service

Dropbear SSH server Denial of Service

Credits: Pablo Fernandez
March 7th, 2006

I. BACKGROUND

Dropbear is a relatively small SSH 2 server and client. It runs on a
variety of POSIX-based platforms. Dropbear is open source software,
distributed under a MIT-style license. Dropbear is particularly useful
for "embedded"-type Linux (or other Unix) systems, such as wireless
routers.

More information is available at
http://matt.ucc.asn.au/dropbear/dropbear.html

II. DESCRIPTION

Denial of service is possible and could be trivialy launched by a remote
attacker.

The vulnerability specifically exists due to a design error in the
authorization-pending connections code. By default and as a #define of
the MAX_UNAUTH_CLIENTS constant, the SSH server allows 30
authorization-pending connections, after connection 31, incoming sockets
are close()d immediatly.

Vulnerable code is in svr-main.c

/* check for max number of connections not authorised */
for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) {
        if (childpipes[j] < 0) {
                break;
        }
}

if (j == MAX_UNAUTH_CLIENTS) {
        /* no free connections */
        /* TODO - possibly log, though this would be an easy way
         * to fill logs/disk */
        close(childsock);
        continue;
}

III. ANALYSIS

Remote attack of this vulnerability is trivial. This is specially
problematic if the administrator can't login due to the attack and can't
at least blacklist the attacker, restart the service or undertake other
actions.

IV. DETECTION

All versions (up to and including current 0.47 version) are vulnerable.

The following distributions are known to use or package Dropbear:

      * LEAF Bering uClibc - a small Linux firewall/network applicance
        distribution. 
      * NetBSD Packages Collection 
      * Debian 
      * FreeBSD Ports 
      * Gentoo Packages 
      * OpenWRT - a very nice distro for WRT54G wireless routers (and
        others). 
      * FREESCO is is a single floppy NAT/firewall router/server. 
      * Bent Linux - a uClibc based Linux distribution, statically
        linked cpio.bz2 packages (should work on any distro) 
      * fli4l - a one-disk-router Linux distribution 
      * OpenZaurus - custom Linux for the Sharp Zaurus 
      * floppyfw - a single floppy firewall Linux distribution 
      * ttylinux - Linux to fit in 4 megabytes of disk space and run on
        386es, as an internet terminal 
      * Sisela - single floppy Linux router/wireless AP distro 
      * gumstix - tiny embedded Linux boards 
      * OpenSimpad - Linux for the Siemans SIMpad, packages here
        upgrade for Linksys WiFi routers 
      * Slackmatic 
      * Coyote Linux - a single floppy firewall 
      * Trinux - a lightweight Linux security toolkit 
      * Familiar ipkg - for handhelds 
      * Source Mage - a distribution of GNU/Linux, Dropbear is available
        as a spell. 
      * Netcomm NB5 ADSL router - this runs Dropbear out of the box. 
      * Dreambox linux-based DVB recorder has Dropbear on the default
        firmware. 
      * kboot - a proof-of-concept Linux boot loader.

V. WORKAROUND

Administrators running dropbear should wait for a fix from the vendor.
In the mean time, firewalling the SSH server allowing incoming
connections just from trusted sources is adviced.

VI. VENDOR RESPONSE

The vendor has been notified and a solution is under development.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

30/01/2006  Initial vendor notification
07/03/2006  Public disclosure

IX. CREDIT

Pablo Fernandez <pablo at littleQ.net> is credited with this discovery.

-- 
Pablo Fernandez Lopez
http://www.littleQ.net/

GPG: http://www.littleQ.net/pablo.asc
Fingerprint: 14A0 8343 E8FB E940 59E3  F7BB C347 869D DBB9 337F
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-07 16:39:32 UTC
vapier pls provide an updated ebuild, thank you
Comment 2 SpanKY gentoo-dev 2006-03-07 17:09:21 UTC
updated how ?  how do you really expect to "fix" this ?

btw, openssh maxes out at 16, so it looks like openssh is twice as "vulnerable" as dropbear
$ for i in {0..20} ; do echo $i ; (nc localhost 22&) ; done
$ ssh localhost
ssh_exchange_identification: Connection closed by remote host
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-07 23:45:35 UTC
I agree with vapier, this is a fairly silly vulnerability, any input from the rest of  security team? I think we can safely INVALID this one.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-08 00:35:58 UTC
yeah sorry, i guess i was a bit trigger happy here. lets kill it.