• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Dropbear SSH Server Username Format String Vulnerability

Severity: CRITICAL

Description:

Dropbear SSH Server is a secure shell server designed to be usable with low-end systems. Dropbear implements the use of various SSH 2 protocol features as well as X and authentication-agent forwarding, and is available for the Linux, Tru64, Solaris, and FreeBSD operating systems.

A remotely exploitable format string vulnerability has been discovered in Dropbear SSH Server. The problem occurs due to an incorrectly formatted call to the syslog() system call, occurring within the 'util.c' source file. This syslog() call can be triggered by invoking the dropbear_log() function, which amongst other locations is called during the authentication stage.

The specific code which makes this vulnerability remotely exploitable occurs within the 'auth.c' source file, and is invoked after the server places the user-supplied 'username' variable within an internal memory buffer. This buffer is then passed to the syslog() system call as a format string, called via the dropbear_log() function, and is subsequently interpreted as such.

As a result of this format string, an attacker may be capable of influencing the flow of program execution by placing specially calculated format specifiers within the 'username'. When this data is logged, it may be possible for the attacker to execute arbitrary code with the privileges of Dropbear, typically root.

This vulnerability affects Dropbear SSH Server v0.34 and earlier.

Affected Products:

• Dropbear SSH Server 0.28.0
• Dropbear SSH Server 0.29.0
• Dropbear SSH Server 0.30.0
• Dropbear SSH Server 0.31.0
• Dropbear SSH Server 0.32.0
• Dropbear SSH Server 0.33.0
• Dropbear SSH Server 0.34.0

References:

• 0xbadc0ded: Advisory #02 - 2003/08/17 - Dropbear SSH Server <= 0.34
• Dropbear: Dropbear SSH Server Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.