|
|
BugTraq
OpenSSH/PAM timing attack allows remote users identification Apr 30 2003 02:34PM Marco Ivaldi (raptor mediaservice net) (4 replies) Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:15PM Michael Shigorin (mike osdn org ua) (1 replies) Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 01:48PM Marco Ivaldi (raptor mediaservice net) Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 03:20PM Thilo Schulz (arny ats s bawue de) (1 replies) Re: OpenSSH/PAM timing attack allows remote users identification May 02 2003 11:20AM Marco Ivaldi (raptor mediaservice net) Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 09:12AM Ethan Benson (erbenson alaska net) (2 replies) Re: OpenSSH/PAM timing attack allows remote users identification May 05 2003 12:55PM Marco Ivaldi (raptor mediaservice net) Re: OpenSSH/PAM timing attack allows remote users identification May 01 2003 06:15PM Nicolas Couture (nc stormvault net) |
|
Privacy Statement |
> Security Advisory @ Mediaservice.net Srl
> (#01, 30/04/2003) Data Security Division
>
> Title: OpenSSH/PAM timing attack allows remote users identification
> Application: OpenSSH-portable <= 3.6.1p1
> Platform: Linux, maybe others
> Description: A remote attacker can identify valid users on vulnerable
> systems, all PAM-enabled systems are potentially affected
> Author: Marco Ivaldi <raptor (at) mediaservice (dot) net [email concealed]>
> Contributors: Maurizio Agazzini <inode (at) mediaservice (dot) net [email concealed]>,
> Solar Designer <solar (at) openwall (dot) com [email concealed]>,
> Andrea Ghirardini <pila (at) pilasecurity (dot) com [email concealed]>
> Vendor Status: OpenSSH team notified on 12/04/2003,
> vendor-sec list notified on 28/04/2003
> CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
> the name CAN-2003-0190 to this issue.
> References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
>
> 1. Abstract.
>
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
> support enabled (via the --with-pam configure script switch). This bug allows a
> remote attacker to identify valid users on vulnerable systems, through a simple
> timing attack. The vulnerability is easy to exploit and may have high severity,
> if combined with poor password policies and other security problems that allow
> local privilege escalation.
>
> 2. Example Attack Session.
>
> root@voodoo:~# ssh [valid_user]@lab.mediaservice.net
> [valid_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> [2 secs delay]
> Permission denied, please try again.
>
> root@voodoo:~# ssh [no_such_user]@lab.mediaservice.net
> [no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> [no delay]
> Permission denied, please try again.
>
> 4. Fix.
The "Fix" is to encourage all users/admins of OpenSSH to _only_ work
with key authentication (preferable only ssh2 protocol) on all ssh servers.
Switch the default:
PasswordAuthentication yes
Into:
PasswordAuthentication no
in sshd_config
In combination with the default "RSAAuthentication yes" it results in:
,--------
| kh@i4x:~$ ssh dodo@i4x <-dodo=no_such_user
| [no delay]
| Permission denied (publickey).
`--------
The same as:
,--------
| kh@i4x:~$ ssh root@i4x
| [no delay]
| Permission denied (publickey).
`--------
That would be my 2Cent.
Karl-Heinz
[ reply ]