From e3559a76b89e1612ca52836f5798cc25d8a0b648 Mon Sep 17 00:00:00 2001 From: Andris Raugulis Date: Tue, 13 Sep 2016 13:01:38 +0300 Subject: [PATCH] Differentiate between server and client security issues. Ignore client-side. --- ssh-audit.py | 55 +++++++++++++++++++++++++--------------------------- 1 file changed, 26 insertions(+), 29 deletions(-) diff --git a/ssh-audit.py b/ssh-audit.py index d188967..2ba277f 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -434,20 +434,20 @@ class SSH(object): class Security(object): CVE = { 'Dropbear SSH': [ - ['0.44', '2015.71', 'CVE-2016-3116', 5.5, 'bypass command restrictions via xauth command injection.'], - ['0.28', '2013.58', 'CVE-2013-4434', 5.0, 'discover valid usernames through different time delays.'], - ['0.28', '2013.58', 'CVE-2013-4421', 5.0, 'cause DoS (memory consumption) via a compressed packet.'], - ['0.52', '2011.54', 'CVE-2012-0920', 7.1, 'execute arbitrary code or bypass command restrictions.'], - ['0.40', '0.48.1', 'CVE-2007-1099', 7.5, 'conduct a MitM attack (no warning for hostkey mismatch).'], - ['0.28', '0.47', 'CVE-2006-1206', 7.5, 'cause DoS (slot exhaustion) via large number of connections.'], - ['0.39', '0.47', 'CVE-2006-0225', 4.6, 'execute arbitrary commands via scp with crafted filenames.'], - ['0.28', '0.46', 'CVE-2005-4178', 6.5, 'execute arbitrary code via buffer overflow vulnerability.'], - ['0.28', '0.42', 'CVE-2004-2486', 7.5, 'execute arbitrary code via DSS verification code.'], + ['0.44', '2015.71', 1, 'CVE-2016-3116', 5.5, 'bypass command restrictions via xauth command injection.'], + ['0.28', '2013.58', 1, 'CVE-2013-4434', 5.0, 'discover valid usernames through different time delays.'], + ['0.28', '2013.58', 1, 'CVE-2013-4421', 5.0, 'cause DoS (memory consumption) via a compressed packet.'], + ['0.52', '2011.54', 1, 'CVE-2012-0920', 7.1, 'execute arbitrary code or bypass command restrictions.'], + ['0.40', '0.48.1', 1, 'CVE-2007-1099', 7.5, 'conduct a MitM attack (no warning for hostkey mismatch).'], + ['0.28', '0.47', 1, 'CVE-2006-1206', 7.5, 'cause DoS (slot exhaustion) via large number of connections.'], + ['0.39', '0.47', 1, 'CVE-2006-0225', 4.6, 'execute arbitrary commands via scp with crafted filenames.'], + ['0.28', '0.46', 1, 'CVE-2005-4178', 6.5, 'execute arbitrary code via buffer overflow vulnerability.'], + ['0.28', '0.42', 1, 'CVE-2004-2486', 7.5, 'execute arbitrary code via DSS verification code.'], ] } TXT = { 'Dropbear SSH': [ - ['0.28', '0.34', 'remote root exploit', 'remote format string buffer overflow exploit (exploit-db#387).'], + ['0.28', '0.34', 1, 'remote root exploit', 'remote format string buffer overflow exploit (exploit-db#387).'], ] } @@ -865,35 +865,32 @@ def output_compatibility(kex, client=False): out.good('(gen) compatibility: ' + ', '.join(comp_text)) -def output_security_cve(software, padlen): - if software is None or software.product not in SSH.Security.CVE: +def output_security_sub(sub, software, padlen): + secdb = SSH.Security.CVE if sub == 'cve' else SSH.Security.TXT + if software is None or software.product not in secdb: return - for line in SSH.Security.CVE[software.product]: + for line in secdb[software.product]: vfrom, vtill = line[0:2] if not software.between_versions(vfrom, vtill): continue - cve, cvss, descr = line[2:5] - padding = '' if out.batch else ' ' * (padlen - len(cve)) - out.fail('(cve) {0}{1} -- ({2}) {3}'.format(cve, padding, cvss, descr)) - - -def output_security_txt(software, padlen): - if software is None or software.product not in SSH.Security.TXT: - return - for line in SSH.Security.TXT[software.product]: - vfrom, vtill = line[0:2] - if not software.between_versions(vfrom, vtill): + target, name = line[2:4] + is_server, is_client = target & 1 == 1, target & 2 == 2 + if is_client: continue - head, descr = line[2:4] - padding = '' if out.batch else ' ' * (padlen - len(head)) - out.fail('(sec) {0}{1} -- {2}'.format(head, padding, descr)) + p = '' if out.batch else ' ' * (padlen - len(name)) + if sub == 'cve': + cvss, descr = line[4:6] + out.fail('(cve) {0}{1} -- ({2}) {3}'.format(name, p, cvss, descr)) + else: + descr = line[4] + out.fail('(sec) {0}{1} -- {2}'.format(name, p, descr)) def output_security(banner, padlen): with OutputBuffer() as obuf: software = SSH.Software.parse(banner) - output_security_cve(software, padlen) - output_security_txt(software, padlen) + output_security_sub('cve', software, padlen) + output_security_sub('txt', software, padlen) if len(obuf) > 0: out.head('# security') obuf.flush()