Vulnerabilities > CVE-2016-3116 - Unspecified vulnerability in Dropbear SSH Project Dropbear SSH
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.
Vulnerable Configurations
Exploit-Db
| description | DropBearSSHD <= 2015.71 - Command Injection. CVE-2016-3116. Remote exploit for Linux platform |
| id | EDB-ID:40119 |
| last seen | 2016-07-18 |
| modified | 2016-03-03 |
| published | 2016-03-03 |
| reporter | tintinweb |
| source | https://www.exploit-db.com/download/40119/ |
| title | DropBearSSHD <= 2015.71 - Command Injection |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2016-40A657CEE1.NASL description CVE-2016-3116 dropbear: X11 forwarding input not validated properly Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-24 plugin id 90132 published 2016-03-24 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90132 title Fedora 22 : dropbear-2016.72-1.fc22 (2016-40a657cee1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-40a657cee1. # include("compat.inc"); if (description) { script_id(90132); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3116"); script_xref(name:"FEDORA", value:"2016-40a657cee1"); script_name(english:"Fedora 22 : dropbear-2016.72-1.fc22 (2016-40a657cee1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "CVE-2016-3116 dropbear: X11 forwarding input not validated properly Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1316826" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179269.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?39f9a2e2" ); script_set_attribute( attribute:"solution", value:"Update the affected dropbear package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:dropbear"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"dropbear-2016.72-1.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dropbear"); }NASL family Misc. NASL id DROPBEAR_SSH_72.NASL description According to its self-reported version in the banner, the version of Dropbear SSH running on the remote host is prior to 2016.72. It is, therefore, affected by a command injection vulnerability when X11 Forwarding is enabled, due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this to execute arbitrary xauth commands on the remote host. Note that X11 Forwarding is not enabled by default. last seen 2020-06-01 modified 2020-06-02 plugin id 90027 published 2016-03-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90027 title Dropbear SSH Server < 2016.72 xauth Command Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90027); script_version("1.7"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-3116"); script_name(english:"Dropbear SSH Server < 2016.72 xauth Command Injection"); script_summary(english:"Checks remote SSH server type and version."); script_set_attribute(attribute:"synopsis", value: "The remote SSH service is affected by a command injection vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version in the banner, the version of Dropbear SSH running on the remote host is prior to 2016.72. It is, therefore, affected by a command injection vulnerability when X11 Forwarding is enabled, due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this to execute arbitrary xauth commands on the remote host. Note that X11 Forwarding is not enabled by default."); script_set_attribute(attribute:"see_also", value:"https://matt.ucc.asn.au/dropbear/CHANGES"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2016/Mar/47"); # https://github.com/mkj/dropbear/commit/18681875e30e1ea251914417829fdbb50534c9ba script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c1e20657"); script_set_attribute(attribute:"solution", value: "Upgrade to Dropbear SSH version 2016.72 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3116"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:matt_johnston:dropbear_ssh_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/ssh", 22); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app = "Dropbear SSH"; port = get_service(svc:"ssh", exit_on_fail:TRUE); orig_banner = get_kb_item_or_exit("SSH/banner/" + port); banner = get_backport_banner(banner:orig_banner); # Make sure it's Dropbear. if ("dropbear" >!< banner) audit(AUDIT_NOT_DETECT, "Dropbear SSH", port); if (backported) audit(AUDIT_BACKPORT_SERVICE, port, "Dropbear SSH"); item = eregmatch(pattern:"dropbear_([0-9]+\.[0-9]+(\.[0-9]+)?)($|[^0-9])", string:banner); if (isnull(item)) audit(AUDIT_SERVICE_VER_FAIL, "Dropbear SSH", port); version = item[1]; #SSH version : SSH-2.0-dropbear_0.53.1 #SSH version : SSH-2.0-dropbear_2011.54 if (version =~ "^(0|201[1-5])\.") { report_items = make_array( "Version source", orig_banner, "Installed version", version, "Fixed version", "2016.72" ); order = make_list("Version source", "Installed version", "Fixed version"); report = report_items_str(report_items:report_items, ordered_fields:order); security_report_v4(severity:SECURITY_WARNING, port:port, extra:report); } else audit(AUDIT_LISTEN_NOT_VULN, "Dropbear SSH", port, version);NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-393.NASL description This update for dropbear fixes the following issues : - dropbear was updated to upstream version 2016.72 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch. - used as bug fix release for boo#970633 - CVE-2016-3116 - dropbear was updated to upstream version 2015.71 - Fix last seen 2020-06-05 modified 2016-03-25 plugin id 90168 published 2016-03-25 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90168 title openSUSE Security Update : dropbear (openSUSE-2016-393) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_8EB78CDCE9EC11E585BE14DAE9D210B8.NASL description Matt Johnson reports : Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions last seen 2020-06-01 modified 2020-06-02 plugin id 89928 published 2016-03-15 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89928 title FreeBSD : dropbear -- authorized_keys command= bypass (8eb78cdc-e9ec-11e5-85be-14dae9d210b8) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-387.NASL description dropbear was updated to 2016.72 to fix the following issues : Changes in dropbear : - updated to upstream version 2016.72 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch. - used as bug fix release for boo#970633 - CVE-2016-3116 - updated to upstream version 2015.71 - Fix last seen 2020-06-05 modified 2016-03-25 plugin id 90165 published 2016-03-25 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90165 title openSUSE Security Update : dropbear (openSUSE-2016-387) NASL family Fedora Local Security Checks NASL id FEDORA_2016-6DE0B19B3B.NASL description new version Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-08-02 plugin id 92670 published 2016-08-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92670 title Fedora 23 : dropbear (2016-6de0b19b3b) NASL family Fedora Local Security Checks NASL id FEDORA_2016-332491DE28.NASL description CVE-2016-3116 dropbear: X11 forwarding input not validated properly Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-24 plugin id 90129 published 2016-03-24 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90129 title Fedora 23 : dropbear-2016.72-1.fc23 (2016-332491de28) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201607-08.NASL description The remote host is affected by the vulnerability described in GLSA-201607-08 (Dropbear: Privilege escalation) A CRLF injection vulnerability in Dropbear SSH allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data. Impact : A remote authenticated user could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 92478 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92478 title GLSA-201607-08 : Dropbear: Privilege escalation NASL family Fedora Local Security Checks NASL id FEDORA_2016-BC45FAA824.NASL description CVE-2016-3116 dropbear: X11 forwarding input not validated properly Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-28 plugin id 90225 published 2016-03-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90225 title Fedora 24 : dropbear-2016.72-1.fc24 (2016-bc45faa824)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/136251/dropbearsshd-bypass.txt |
| id | PACKETSTORM:136251 |
| last seen | 2016-12-05 |
| published | 2016-03-15 |
| reporter | INTREST SEC |
| source | https://packetstormsecurity.com/files/136251/Dropbear-SSHD-xauth-Command-Injection-Bypass.html |
| title | Dropbear SSHD xauth Command Injection / Bypass |
References
- https://matt.ucc.asn.au/dropbear/CHANGES
- https://security.gentoo.org/glsa/201607-08
- http://seclists.org/fulldisclosure/2016/Mar/47
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179269.html
- https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
- http://lists.opensuse.org/opensuse-updates/2016-03/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2016-03/msg00113.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179261.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179870.html
- http://packetstormsecurity.com/files/136251/Dropbear-SSHD-xauth-Command-Injection-Bypass.html