Bypassing OpenSSH’s 6‑Try Limit: How Attackers Can Get 10,000 Password Attempts

Only six password attempts are allowed by default in OpenSSH; what if an attacker could make ten thousand attempts?

OpenSSH contains a vulnerability that lets attackers bypass the single‑login password‑attempt limit.

Normally, after six incorrect passwords the server imposes a two‑minute grace period before the connection is closed, preventing rapid brute‑force attacks. However, this defense can be easily evaded.

A hacker using the KingCope tool claims OpenSSH can be controlled and modified so that the maximum number of password attempts can be set arbitrarily.

This means an attacker can write a script to perform thousands of password attempts without any server‑side restriction, turning the vulnerability into a serious threat where any password can eventually be guessed.

KingCope’s proof‑of‑concept exploit is a simple parameter‑passing command that looks more like a special feature than a bug:

ssh -lusername -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targethost

In a recent email, KingCope fully disclosed the flaw, stating that the method allows up to ten thousand password attempts within a single login session.

He added that if an attacker sends ten thousand interactive requests to a keyboard‑interactive device, OpenSSH will process them in a loop until the device’s internal limit is reached.

The latest OpenSSH versions still contain this issue, but programs and devices that use key‑based authentication are not affected because the bug only impacts keyboard‑interactive password entry. Administrators using fail2ban or pam‑shield can detect failed login events and block offending IPs. Reducing the grace period to 20 or 30 seconds also mitigates the risk.

This article is translated from 360 Security Broadcast; please credit the source when republishing.

Original article: http://www.theregister.co.uk/2015/07/23/openssh_brute_force_bug/