#22518: SSH MITM attack with dropbear
----------------------+--------------------------------
Reporter: puchuu | Owner: developers
Type: defect | Status: new
Priority: highest | Milestone:
Component: packages | Version: Chaos Calmer 15.05
Keywords: mitm |
----------------------+--------------------------------
I have the latest openwrt 15.05.1 installed on several routers. I've
created images for them with image builder.
Today I've checked that my routers server host keys were changed. For
example:
ssh -v 192.168.0.1
> debug1: Remote protocol version 2.0, remote software version
dropbear_2015.67
> debug1: Server host key: ssh-rsa
SHA256:1KRsMnbnG5tnzSP3jerHAjnf9k02CT+yOCIgc6+Cf84
Now my router wants to be in the middle between me and any host:
ssh -v github.com
> debug1: Connecting to github.com [192.30.252.121] port 22.
> debug1: Connection established.
> debug1: Remote protocol version 2.0, remote software version
dropbear_2015.67
> debug1: Server host key: ssh-rsa
SHA256:1KRsMnbnG5tnzSP3jerHAjnf9k02CT+yOCIgc6+Cf84
ssh -v bitbucket.org
> debug1: Connecting to bitbucket.org [104.192.143.2] port 22.
> debug1: Connection established.
> debug1: Remote protocol version 2.0, remote software version
dropbear_2015.67
> debug1: Server host key: ssh-rsa
SHA256:1KRsMnbnG5tnzSP3jerHAjnf9k02CT+yOCIgc6+Cf84
This is funny, but this works even with hosts that have no ssh server:
ssh -v abc.com
> debug1: Connecting to abc.com [199.181.132.250] port 22.
> debug1: Connection established.
> debug1: Remote protocol version 2.0, remote software version
dropbear_2015.67
> debug1: Server host key: ssh-rsa
SHA256:1KRsMnbnG5tnzSP3jerHAjnf9k02CT+yOCIgc6+Cf84
What is going on? This looks like great vulnerability.
--
Ticket URL: <https://dev.openwrt.org/ticket/22518>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
openwrt-tickets@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
