NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2007-04

[Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used

From: rembrandt (rembrandthelith.org)
Date: Fri Apr 20 2007 - 19:27:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Note to the Moderator: Sorry I send ya a Beta in the first mail :)

                     _ _ _____ _ ___ _____ _ _
                    / / / / ____/ / / _/_ __/ / / /
                   / /_/ / __/ / / / / / / / /_/ /
                  / __ / /___/ /____/ / / / / __ /
                 /_/ /_/_____/_____/___/ /_/ /_/ /_/
                            Helith - 0815
--------------------------------------------------------------------------------

Author: Rembrandt
Date: Known since somewhere in 2005
Affected Software: OpenSSH 4.6 <=
Proppably everything which is based on OpenSSH
Type: Remote
Type: Enumeration of system accounts

Greets go to: Helith and all affiliated People, t3c0, levent, str0ke,
              The EOF-Crew, rrlf, herm1t, Solar Designer, softxor,
              Packetstorm (Todd, Emerson(Thanks for the Cohiba and beer))
              and others

--------------------------------------------------------------------------------

OpenSSH is vulnerable to an information leak which allows remote attackers
to gain informations about system accounts, in case S/KEY is used on the system.

If "ChallengeResponseAuthentication" is set to "Yes", which is the default
setting, SH allows the user to login by using S/KEY in the form of
'ssh userid:skeyhostname'.

The normal behavior for SSH looks like this:

===============================================================================
alucard $ ssh usersomewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================

Passwordauthentication is disabled as you can see.
Now you can test about ChallangeResponseAuthentication.
If it`s enabled it will let you determine the existence of system accounts.

===============================================================================
alucard $ ssh user:skeysomewhere
otp-md5 99 some04578
S/Key Password:

alucard $
===============================================================================

If a account does not exist OpenSSH reacts like exspected.

===============================================================================
alucard $ ssh testuser:skeysomewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================

As you can see clearly OpenSSH discloses the existence of system accounts.
A possible solution for this problem would be to print a fake S/Key-Request
even for non existing users as well as it`s done with the
Passwordauthentication.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]