From b11018bd7d5f1a5d0cacbc21717d14a3bcf7731d Mon Sep 17 00:00:00 2001 From: Andris Raugulis Date: Thu, 8 Sep 2016 20:04:48 +0300 Subject: [PATCH] Add other security information. Add remote root exploit for Dropbear SSH. --- ssh-audit.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ssh-audit.py b/ssh-audit.py index cd7cfcd..ccaa7bf 100755 --- a/ssh-audit.py +++ b/ssh-audit.py @@ -407,6 +407,11 @@ class SSH(object): ['0.28', '0.42', 'CVE-2004-2486', 7.5, 'execute arbitrary code via DSS verification code.'], ] } + TXT = { + 'Dropbear SSH': [ + ['0.28', '0.34', 'remote root exploit', 'remote format string buffer overflow exploit (exploit-db#387).'], + ] + } class Socket(ReadBuf, WriteBuf): SM_BANNER_SENT = 1 @@ -834,10 +839,23 @@ def output_security_cve(software, padlen): out.fail('(cve) {0}{1} -- ({2}) {3}'.format(cve, padding, cvss, descr)) +def output_security_txt(software, padlen): + if software is None or software.product not in SSH.Security.TXT: + return + for line in SSH.Security.TXT[software.product]: + vfrom, vtill = line[0:2] + if not software.version_between(vfrom, vtill): + continue + head, descr = line[2:4] + padding = '' if out.batch else ' ' * (padlen - len(head)) + out.fail('(sec) {0}{1} -- {2}'.format(head, padding, descr)) + + def output_security(banner, padlen): with OutputBuffer() as obuf: software = SSH.Software.parse(banner) output_security_cve(software, padlen) + output_security_txt(software, padlen) if len(obuf) > 0: out.head('# security') obuf.flush()