Bugtraq: Re: OpenSSH/PAM timing attack allows remote users identification

[Karl-Heinz Haag <k.haag () linux-ag com>]

Quoting Marco Ivaldi (raptor () mediaservice net):

> Security Advisory                                     @ Mediaservice.net Srl
> (#01, 30/04/2003)                                     Data Security Division
>
>          Title:       OpenSSH/PAM timing attack allows remote users identification
>    Application:       OpenSSH-portable <= 3.6.1p1
>       Platform:       Linux, maybe others
>    Description:       A remote attacker can identify valid users on vulnerable
>               systems, all PAM-enabled systems are potentially affected
>         Author:       Marco Ivaldi <raptor () mediaservice net>
>   Contributors: Maurizio Agazzini <inode () mediaservice net>,
>               Solar Designer <solar () openwall com>,
>               Andrea Ghirardini <pila () pilasecurity com>
>  Vendor Status: OpenSSH team notified on 12/04/2003,
>               vendor-sec list notified on 28/04/2003
>  CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
>               the name CAN-2003-0190 to this issue.
>     References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
>               http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
>
> 1. Abstract.
>
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
> support enabled (via the --with-pam configure script switch). This bug allows a 
> remote attacker to identify valid users on vulnerable systems, through a simple
> timing attack. The vulnerability is easy to exploit and may have high severity,
> if combined with poor password policies and other security problems that allow 
> local privilege escalation.
>
> 2. Example Attack Session.
>
> root () voodoo:~# ssh [valid_user] () lab mediaservice net
> [valid_user] () lab mediaservice net's password:      <- arbitrary (non-null) string
> [2 secs delay]
> Permission denied, please try again.
>
> root () voodoo:~# ssh [no_such_user] () lab mediaservice net
> [no_such_user] () lab mediaservice net's password:    <- arbitrary (non-null) string
> [no delay]
> Permission denied, please try again.
>
> 4. Fix.

The "Fix" is to encourage all users/admins of OpenSSH to _only_ work 
with key authentication (preferable only ssh2 protocol) on all ssh servers. 


Switch the default: 
PasswordAuthentication yes

Into: 
PasswordAuthentication no

in sshd_config

In combination with the default "RSAAuthentication yes" it results in: 

,--------
|       kh () i4x:~$ ssh dodo () i4x            <-dodo=no_such_user
|       [no delay]
|       Permission denied (publickey).
`--------

The same as: 
,--------
|       kh () i4x:~$ ssh root () i4x
|       [no delay]
|       Permission denied (publickey).
`--------

That would be my 2Cent. 

Karl-Heinz

Attachment: _bin
Description: