During a pen-test we have notice how is easy to identify valid users on
vulnerable systems, through a simple timing attack.
When I try to connect to ftp without ssl using a unreal user with bad
password I get
immediatly response of incorrect login, when I use real user with bad
password I get 2 second of wait before get message of incorrect login.
It seems to be very nice to the recent CAN-2003-0190 about OpenSSH/PAM
timing attack allows remote users identification
I have tested this on Linux RH 7.3 and RH 8.0
I belive the vulnerability is easy to exploit and may have high
severity, if combined with poor password policies and other security
problems that allow local privilege escalation.
Alessandro Fiorenzi
a.fiorenzi (at) infogroup (dot) it [email concealed] aka netexpress
------------------------------------------------------------------------
-
DR. FIORENZI ALESSANDRO *
Consulente Tribunale Firenze - sicurezza informatica -
System Administrator
Socio CLUSIT <file:///home/fiore/signature/www.clusit.it>, ALSI
<file:///home/fiore/signature/www.alsi.it>
Tel : +39.055.43.65.742
CE : +39.335.64.144.77
@Email : a.fiorenzi (at) infogroup (dot) it [email concealed]
PGP Key: http://www.infogroup.it/ds/fiorenzi.asc
/-----------------------------------------------------------------------
--
*"Faber est suae quisque fortunae" *
------------------------------------------------------------------------
-/
During a pen-test we have notice how is easy to identify valid users on
vulnerable systems, through a simple timing attack.
When I try to connect to ftp without ssl using a unreal user with bad
password I get
immediatly response of incorrect login, when I use real user with bad
password I get 2 second of wait before get message of incorrect login.
It seems to be very nice to the recent CAN-2003-0190 about OpenSSH/PAM
timing attack allows remote users identification
I have tested this on Linux RH 7.3 and RH 8.0
I belive the vulnerability is easy to exploit and may have high
severity, if combined with poor password policies and other security
problems that allow local privilege escalation.
Alessandro Fiorenzi
a.fiorenzi (at) infogroup (dot) it [email concealed] aka netexpress
*-----------------------------------------------------------------------
-
INFOGROUP S.P.A http://www.infogroup.it
------------------------------------------------------------------------
-
DR. FIORENZI ALESSANDRO *
Consulente Tribunale Firenze - sicurezza informatica -
System Administrator
Socio CLUSIT <file:///home/fiore/signature/www.clusit.it>, ALSI
<file:///home/fiore/signature/www.alsi.it>
Tel : +39.055.43.65.742
CE : +39.335.64.144.77
@Email : a.fiorenzi (at) infogroup (dot) it [email concealed]
PGP Key: http://www.infogroup.it/ds/fiorenzi.asc
/-----------------------------------------------------------------------
--
*"Faber est suae quisque fortunae" *
------------------------------------------------------------------------
-/
//
[ reply ]