CVE-2016-3116 Dropbear SSH forced-command and security bypass

Timeline :

Vulnerability discovered and reported to the vendor by tintinweb
Patch provided by the vendor the 2016-03-09
PoC and details provided by tintinweb the 2016-03-10

PoC provided by :

tintinweb

Reference(s) :

CVE-2016-3116

Affected version(s) :

All versions of dropbear SSH prior to 2016.72 with X11Forwarding enabled.

Tested on :

Ubuntu 15.10 with Dropbear server v2015.71

Description :

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth.

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface.

xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells.

Commands :

Create a shell (/bin/bash) user1:
- with ssh key or password authentication
- add a force commands in authorized_keys file, like command="whoami"

Normally only the command “whoami” will be executed when SSH authentication will be done

Create a non-shell (/bin/false) user2

Start dropbear
dropbear -R -F -E -p 2222

User provided PoC python script and connect to the vulnerable host
python poc.py <host> <port> <username> <password or path_to_privkey>
For example: python poc.py 192.168.6.146 22 user1 test

“.readfile” command allow to read files on the system
“.writefile” command allow to write files on the system