BugTraq
OpenSSH/PAM timing attack allows remote users identification Apr 30 2003 02:34PM
Marco Ivaldi (raptor mediaservice net) (4 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:15PM
Michael Shigorin (mike osdn org ua) (1 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:48PM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 12:56AM
Karl-Heinz Haag (k haag linux-ag com)
Quoting Marco Ivaldi (raptor (at) mediaservice (dot) net [email concealed]):

> Security Advisory @ Mediaservice.net Srl
> (#01, 30/04/2003) Data Security Division
>
> Title: OpenSSH/PAM timing attack allows remote users identification
> Application: OpenSSH-portable <= 3.6.1p1
> Platform: Linux, maybe others
> Description: A remote attacker can identify valid users on vulnerable
> systems, all PAM-enabled systems are potentially affected
> Author: Marco Ivaldi <raptor (at) mediaservice (dot) net [email concealed]>
> Contributors: Maurizio Agazzini <inode (at) mediaservice (dot) net [email concealed]>,
> Solar Designer <solar (at) openwall (dot) com [email concealed]>,
> Andrea Ghirardini <pila (at) pilasecurity (dot) com [email concealed]>
> Vendor Status: OpenSSH team notified on 12/04/2003,
> vendor-sec list notified on 28/04/2003
> CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
> the name CAN-2003-0190 to this issue.
> References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
>
> 1. Abstract.
>
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
> support enabled (via the --with-pam configure script switch). This bug allows a
> remote attacker to identify valid users on vulnerable systems, through a simple
> timing attack. The vulnerability is easy to exploit and may have high severity,
> if combined with poor password policies and other security problems that allow
> local privilege escalation.
>
> 2. Example Attack Session.
>
> root@voodoo:~# ssh [valid_user]@lab.mediaservice.net
> [valid_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> [2 secs delay]
> Permission denied, please try again.
>
> root@voodoo:~# ssh [no_such_user]@lab.mediaservice.net
> [no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> [no delay]
> Permission denied, please try again.
>
> 4. Fix.

The "Fix" is to encourage all users/admins of OpenSSH to _only_ work
with key authentication (preferable only ssh2 protocol) on all ssh servers.

Switch the default:
PasswordAuthentication yes

Into:
PasswordAuthentication no

in sshd_config

In combination with the default "RSAAuthentication yes" it results in:

,--------
| kh@i4x:~$ ssh dodo@i4x <-dodo=no_such_user
| [no delay]
| Permission denied (publickey).
`--------

The same as:
,--------
| kh@i4x:~$ ssh root@i4x
| [no delay]
| Permission denied (publickey).
`--------

That would be my 2Cent.

Karl-Heinz

[ reply ]
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 03:20PM
Thilo Schulz (arny ats s bawue de) (1 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 11:20AM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 09:12AM
Ethan Benson (erbenson alaska net) (2 replies)
Re: OpenSSH/PAM timing attack allows remote users identification May 05 2003 12:55PM
Marco Ivaldi (raptor mediaservice net)
Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 06:15PM
Nicolas Couture (nc stormvault net)


 

Privacy Statement
Copyright 2010, SecurityFocus