CVE-2016-3115 OpenSSH forced-command and security bypass

Timeline :

Vulnerability discovered and reported to the vendor by tintinweb
Patch provided by the vendor the 2016-03-09
PoC and details provided by tintinweb the 2016-03-10

PoC provided by :

tintinweb

Reference(s) :

CVE-2016-3115

Affected version(s) :

All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled.

Tested on :

Ubuntu 15.10 with OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015

Description :

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth.

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface.

xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells.

Commands :

Create a shell (/bin/bash) user1:
- with ssh key or password authentication
- add a force commands in authorized_keys file, like command="whoami"

Normally only the command “whoami” will be executed when SSH authentication will be done

Create a non-shell (/bin/false) user2

User provided PoC python script and connect to the vulnerable host
python poc.py <host> <port> <username> <password or path_to_privkey>
For example: python poc.py 192.168.6.146 22 user1 test

“.readfile” command allow to read files on the system
“.writefile” command allow to write files on the system