OpenSSH 7.7 - Username Enumeration# CVE-2018-15473
OpenSSH 7.7 - Username Enumeration
## Method
The attacker can try to authenticate a user with a malformed packet (for
example, a truncated packet), and:
- if the user is invalid (it does not exist), then userauth_pubkey()
returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE
to the attacker;
- if the user is valid (it exists), then sshpkt_get_u8() fails, and the
server calls fatal() and closes its connection to the attacker.
## Usage
Usage of the Library is Very Simple and it can be used just in few lines
```
python <target> --port <port> --userlist <username_file>
```
## Vulnerable Systems
+ Redhat Enterprise Linux 7
+ Redhat Enterprise Linux 6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Redhat Enterprise Linux 5
+ OpenSSH OpenSSH 3.4
+ OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
+ OpenSSH OpenSSH 2.9
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ OpenSSH OpenSSH 2.5.2
+ Caldera OpenUnix 8.0
+ Caldera UnixWare 7.1.1
+ Wirex Immunix OS 6.2
+ OpenSSH OpenSSH 2.5.1
+ NetBSD NetBSD 1.5.1
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. SuSE eMail Server III
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
+ SCO Open Server 5.0.3
+ SCO Open Server 5.0.2
+ SCO Open Server 5.0.1
+ SCO Open Server 5.0
+ SuSE Linux 7.3
+ SuSE Linux 7.2
+ SuSE Linux 7.1
+ SuSE SUSE Linux Enterprise Server 7
+ OpenSSH OpenSSH 2.5
+ OpenSSH OpenSSH 2.3
+ SuSE Linux 7.0 sparc
+ SuSE Linux 7.0 ppc
+ SuSE Linux 7.0 i386
+ SuSE Linux 7.0 alpha
+ SuSE Linux 6.4 ppc
+ SuSE Linux 6.4 i386
+ SuSE Linux 6.4 alpha
+ OpenSSH OpenSSH 2.1.1
+ SuSE Linux 7.0 sparc
+ SuSE Linux 7.0 ppc
+ SuSE Linux 7.0 i386
+ SuSE Linux 7.0 alpha
+ OpenSSH OpenSSH 2.1
+ OpenSSH OpenSSH 1.2.3
+ Blue Coat Systems Security Gateway OS 2.1.5001 SP1
+ OpenSSH OpenSSH 1.2.2
+ OpenSSH OpenSSH 7.7
+ OpenSSH OpenSSH 7.6
+ OpenSSH OpenSSH 7.4
+ OpenSSH OpenSSH 7.3
+ OpenSSH OpenSSH 7.2
+ OpenSSH OpenSSH 7.1
+ OpenSSH OpenSSH 7.0
+ OpenSSH OpenSSH 6.9
+ OpenSSH OpenSSH 6.8
+ OpenSSH OpenSSH 6.7
+ NetBSD NetBSD 1.5.1
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
+ SCO Open Server 5.0.3
+ SCO Open Server 5.0.2
+ SCO Open Server 5.0.1
+ SCO Open Server 5.0
+ SuSE Linux 7.3
+ SuSE Linux 7.2
+ SuSE Linux 7.1
+ SuSE SUSE Linux Enterprise Server 7
+ OpenSSH OpenSSH 6.6
+ OpenSSH OpenSSH 6.5
+ OpenSSH OpenSSH 6.4
+ OpenSSH OpenSSH 6.3
+ OpenSSH OpenSSH 6.2
+ OpenSSH OpenSSH 6.1
+ OpenSSH OpenSSH 6.0
+ OpenSSH OpenSSH 5.8
+ OpenSSH OpenSSH 5.7
+ OpenSSH OpenSSH 5.6
+ OpenSSH OpenSSH 5.5
+ OpenSSH OpenSSH 4.5
+ OpenSSH OpenSSH 1.127
+ OpenSSH OpenSSH 1.126
+ OpenBSD OpenSSH 6.0
+ OpenBSD OpenSSH 3.0.2
+ OpenBSD OpenSSH 2.5.2
+ OpenBSD OpenSSH 2.3.1
+ OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 2.7
+ OpenBSD OpenBSD 2.6
+ OpenBSD OpenSSH 2.1
+ OpenBSD OpenSSH 1.2.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ OpenBSD OpenSSH 1.2
+ OpenBSD OpenSSH 6.6
+ OpenBSD OpenSSH 6.5
+ OpenBSD OpenSSH 6.4
+ OpenBSD OpenSSH 5.9
+ OpenBSD OpenSSH 5.8
+ OpenBSD OpenSSH 5.7
+ OpenBSD OpenSSH 5.4
+ OpenBSD OpenSSH 5.2
+ OpenBSD OpenSSH 5.1
+ OpenBSD OpenSSH 4.9
+ OpenBSD OpenSSH 4.8
+ OpenBSD OpenSSH 4.7
+ OpenBSD OpenSSH 4.6
+ OpenBSD OpenSSH 4.4
+ OpenBSD OpenSSH 4.3
+ OpenBSD OpenSSH 4.2
+ OpenBSD OpenSSH 4.1
+ OpenBSD OpenSSH 4.0
[4.0K] /data/pocs/9eafe8869abb77e643046e599422f4644ef0af97
├── [3.4K] openssh.py
└── [3.7K] README.md
0 directories, 2 files