cbcvebase.
CVE-2016-3115
published 2016-03-22

CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command…

PriorityP353medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EXPLOIT
EPSS
37.02%
98.3th percentile
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianopenssh< openssh 1:7.2p2-1 (bookworm)openssh 1:7.2p2-1 (bookworm)
openbsdopenssh<= 7.2
openbsdopenssh>= 0 < 1:7.2p2-11:7.2p2-1
openbsdopenssh>= 0 < 1:7.2p2-11:7.2p2-1
openbsdopenssh>= 0 < 1:7.2p2-11:7.2p2-1
openbsdopenssh>= 0 < 1:7.2p2-11:7.2p2-1
openbsdopenssh>= 0 < 1:6.6p1-2ubuntu2.71:6.6p1-2ubuntu2.7
oraclevm_server
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

commandxauth -q -
command\ninfo
commandxxxx\nsource /etc/passwd\n
command\nadd 127.0.0.250:65500 `thisisatestfile` aa
command\nextract /tmp/testfile 127.0.0.250:65500
path/tmp/testfile
path/usr/bin/xauth
  • Detect CRLF/newline injection in SSH X11 forwarding requests: monitor sshd for x11-req channel requests where the x11 auth cookie (auth_data) or auth protocol (auth_proto) fields contain newline characters (\n / 0x0a), which act as xauth command separators.
  • Monitor for xauth being spawned by sshd (parent process sshd) with stdin containing commands beyond the expected 'remove' and 'add' lines — especially 'source', 'extract', 'generate', or 'info' commands injected via newlines.
  • Alert on xauth 'source' subcommand usage from sshd context, which enables arbitrary file read (e.g., 'source /etc/passwd', 'source /etc/shadow').
  • Alert on xauth 'extract' subcommand usage from sshd context, which enables arbitrary file write in xauth.db format.
  • Alert on xauth 'generate' subcommand usage from sshd context, which initiates outbound TCP connections to arbitrary hosts/ports (port probing or connect-back).
  • Exploitation requires X11Forwarding to be enabled on the server. Audit sshd_config for 'X11Forwarding yes' as a precondition indicator; accounts with forced-commands or /bin/false shells are the primary targets.
  • Look for the SSH banner string '_/_/_/_/' to identify BlackStratus LOGStorm appliances that are exposed to this vulnerability in the wild.
  • ·The attack vector requires X11Forwarding to be enabled (X11Forwarding yes) in sshd_config. Disabling it fully mitigates the vulnerability.
  • ·The vulnerability bypasses /bin/false login shell restrictions in OpenSSH but does NOT bypass /bin/nologin (which receives special treatment). Dropbear, by contrast, treats /bin/false like nologin and is not bypassed.
  • ·The attack also bypasses ForceCommand (forced-commands) restrictions in sshd, allowing restricted users to perform arbitrary xauth-mediated file read/write and environment leakage.
  • ·Per-key mitigation is available: adding 'no-x11-forwarding' to the relevant authorized_keys entry prevents exploitation for that key. In OpenSSH 7.2+, the 'restrict' keyword can be used instead.
  • ·The exploit only triggers when neither a system /sshrc nor a user-specific $HOME/.ssh/rc exists; if either is present, sshd takes a different code path (passing tainted input as arguments to the rc script instead).
  • ·Injected xauth commands execute with the effective permissions of the logged-in user (not root), as sshd has already dropped privileges by the time xauth is invoked.

CVSS provenance

nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv3.06.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.