Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: OpenSSH/PAM timing attack allows remote users identification
From: Karl-Heinz Haag <k.haag () linux-ag com>
Date: Fri, 2 May 2003 02:56:31 +0200

Quoting Marco Ivaldi (raptor () mediaservice net):

Security Advisory                                     @ Mediaservice.net Srl
(#01, 30/04/2003)                                     Data Security Division

         Title:       OpenSSH/PAM timing attack allows remote users identification
   Application:       OpenSSH-portable <= 3.6.1p1
      Platform:       Linux, maybe others
   Description:       A remote attacker can identify valid users on vulnerable
              systems, all PAM-enabled systems are potentially affected
        Author:       Marco Ivaldi <raptor () mediaservice net>
  Contributors: Maurizio Agazzini <inode () mediaservice net>,
              Solar Designer <solar () openwall com>,
              Andrea Ghirardini <pila () pilasecurity com>
 Vendor Status: OpenSSH team notified on 12/04/2003,
              vendor-sec list notified on 28/04/2003
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
              the name CAN-2003-0190 to this issue.
    References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
              http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190

1. Abstract.

During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
support enabled (via the --with-pam configure script switch). This bug allows a 
remote attacker to identify valid users on vulnerable systems, through a simple
timing attack. The vulnerability is easy to exploit and may have high severity,
if combined with poor password policies and other security problems that allow 
local privilege escalation.

2. Example Attack Session.

root () voodoo:~# ssh [valid_user] () lab mediaservice net
[valid_user] () lab mediaservice net's password:      <- arbitrary (non-null) string
[2 secs delay]
Permission denied, please try again.

root () voodoo:~# ssh [no_such_user] () lab mediaservice net
[no_such_user] () lab mediaservice net's password:    <- arbitrary (non-null) string
[no delay]
Permission denied, please try again.

4. Fix.


The "Fix" is to encourage all users/admins of OpenSSH to _only_ work 
with key authentication (preferable only ssh2 protocol) on all ssh servers. 


Switch the default: 
PasswordAuthentication yes

Into: 
PasswordAuthentication no

in sshd_config

In combination with the default "RSAAuthentication yes" it results in: 

,--------
|       kh () i4x:~$ ssh dodo () i4x            <-dodo=no_such_user
|       [no delay]
|       Permission denied (publickey).
`--------

The same as: 
,--------
|       kh () i4x:~$ ssh root () i4x
|       [no delay]
|       Permission denied (publickey).
`--------

That would be my 2Cent. 

Karl-Heinz

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault