CVE-2016-6210ã®ä¿®æ£ - ã¦ãã¨ã†ãªãƒ¡ãƒ¢

OpenSSH 7.3ãŒãƒªãƒªãƒ¼ã‚¹ã•ã‚Œã¦ã€CVE-2016-6210ãŒä¿®æ£ã•ã‚ŒãŸãã†ã

sshd(8): Mitigate timing differences in password authentication

that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com

http://www.openssh.com/txt/release-7.3

ã©ã†ä¿®æ£ã•ã‚ŒãŸã®ã‹ãªã¨ã€‚gitãƒªãƒã‚¸ãƒˆãƒªã‚’cloneã—ã¦ãã¦ã‚³ãƒŸãƒƒãƒˆãƒã‚°ã‚’ã¿ã¦ã¿ãŸã€‚

$ git show 9286875a
commit 9286875a73b2de7736b5e50692739d314cd8d9dc
Author: Darren Tucker <[email protected]>
Date:   Fri Jul 15 13:32:45 2016 +1000

    Determine appropriate salt for invalid users.
    
    When sshd is processing a non-PAM login for a non-existent user it uses
    the string from the fakepw structure as the salt for crypt(3)ing the
    password supplied by the client.  That string has a Blowfish prefix, so on
    systems that don't understand that crypt will fail fast due to an invalid
    salt, and even on those that do it may have significantly different timing
    from the hash methods used for real accounts (eg sha512).  This allows
    user enumeration by, eg, sending large password strings.  This was noted
    by EddieEzra.Harari at verint.com (CVE-2016-6210).
    
    To mitigate, use the same hash algorithm that root uses for hashing
    passwords for users that do not exist on the system.  ok djm@

ã‚·ã‚¹ãƒ†ãƒ ä¸Šã®rootãŒä½¿ã£ã¦ã„ã‚‹ãƒãƒƒã‚·ãƒ¥ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã¨åŒã˜ã‚‚ã®ã‚’åˆ©ç”¨ã™ã‚‹ã‚ˆã†ã«ã—ãŸã¨ã€‚ãªã‚‹ã»ã©ã€‚

openbsd-compat/xcrypt.cã®pick_salté–¢æ•°ã§/etc/shadowã®rootã®ã‚¨ãƒ³ãƒˆãƒªã‹ã‚‰$id$salt$ã®éƒ¨åˆ†ã‚’å–å¾—ã—ã¦ã„ã‚‹ã€‚

/*
 * Pick an appropriate password encryption type and salt for the running
 * system.
 */
static const char *
pick_salt(void)
{
       struct passwd *pw;
       char *passwd, *p;
       size_t typelen;
       static char salt[32];

       if (salt[0] != '\0')
               return salt;
       strlcpy(salt, "xx", sizeof(salt));
       if ((pw = getpwuid(0)) == NULL)
               return salt;
       passwd = shadow_pw(pw);
       if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
               return salt;  /* no $, DES */
       typelen = p - passwd + 1;
       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
       explicit_bzero(passwd, strlen(passwd));
       return salt;
}

ãŸã ã€æœ€æ–°ç‰ˆã®openbsd-compat/xcrypt.cã‚’è¦‹ã‚‹ã¨rootãŒãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰æŒã£ã¦ã„ã‚‹ã¨ã¯é™ã‚‰ãªã„ã®ã§ã€åˆã‚ã¦è¦‹ã¤ã‘ãŸDESä»¥å¤–ã®ã‚¨ãƒ³ãƒˆãƒªã®$id$salt$ã‚’è¿”ã™ã‚ˆã†ã«ãªã£ã¦ã„ãŸã€‚

/*
 * Pick an appropriate password encryption type and salt for the running
 * system by searching through accounts until we find one that has a valid
 * salt.  Usually this will be root unless the root account is locked out.
 * If we don't find one we return a traditional DES-based salt.
 */
static const char *
pick_salt(void)
{
        struct passwd *pw;
        char *passwd, *p; 
        size_t typelen;
        static char salt[32];

        if (salt[0] != '\0')
                return salt;
        strlcpy(salt, "xx", sizeof(salt));
        setpwent();
        while ((pw = getpwent()) != NULL) {
                passwd = shadow_pw(pw);
                if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
                        typelen = p - passwd + 1;
                        strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
                        explicit_bzero(passwd, strlen(passwd));
                        goto out;
                }   
        }   
 out:
        endpwent();
        return salt;
}