|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: OpenSSH/PAM timing attack allows remote users identification
From: Karl-Heinz Haag (k.haag
linux-ag.com)
Date: Thu May 01 2003 - 19:56:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoting Marco Ivaldi (raptormediaservice.net):
> Security Advisory Mediaservice.net Srl
> (#01, 30/04/2003) Data Security Division
>
> Title: OpenSSH/PAM timing attack allows remote users identification
> Application: OpenSSH-portable <= 3.6.1p1
> Platform: Linux, maybe others
> Description: A remote attacker can identify valid users on vulnerable
> systems, all PAM-enabled systems are potentially affected
> Author: Marco Ivaldi <raptormediaservice.net>
> Contributors: Maurizio Agazzini <inodemediaservice.net>,
> Solar Designer <solaropenwall.com>,
> Andrea Ghirardini <pilapilasecurity.com>
> Vendor Status: OpenSSH team notified on 12/04/2003,
> vendor-sec list notified on 28/04/2003
> CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
> the name CAN-2003-0190 to this issue.
> References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
>
> 1. Abstract.
>
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
> support enabled (via the --with-pam configure script switch). This bug allows a
> remote attacker to identify valid users on vulnerable systems, through a simple
> timing attack. The vulnerability is easy to exploit and may have high severity,
> if combined with poor password policies and other security problems that allow
> local privilege escalation.
>
> 2. Example Attack Session.
>
> rootvoodoo:~# ssh [valid_user]lab.mediaservice.net
> [valid_user]lab.mediaservice.net's password: <- arbitrary (non-null) string
> [2 secs delay]
> Permission denied, please try again.
>
> rootvoodoo:~# ssh [no_such_user]lab.mediaservice.net
> [no_such_user]lab.mediaservice.net's password: <- arbitrary (non-null) string
> [no delay]
> Permission denied, please try again.
>
> 4. Fix.
The "Fix" is to encourage all users/admins of OpenSSH to _only_ work
with key authentication (preferable only ssh2 protocol) on all ssh servers.
Switch the default:
PasswordAuthentication yes
Into:
PasswordAuthentication no
in sshd_config
In combination with the default "RSAAuthentication yes" it results in:
,--------
| khi4x:~$ ssh dodoi4x <-dodo=no_such_user
| [no delay]
| Permission denied (publickey).
`--------
The same as:
,--------
| khi4x:~$ ssh rooti4x
| [no delay]
| Permission denied (publickey).
`--------
That would be my 2Cent.
Karl-Heinz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+scI/ggE0AflsbMURAubfAKCLlYdgoRlB2WoXrU6BVDC5yLuWDwCdEQPp
fv7clLHYSM11QXKiasEOzcI=
=TszD
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]