Fwd: [raptor at mediaservice.net: OpenSSH/PAM timing attack allows remote users identification]

[Tomasz Kłoczko]

On Wed, 30 Apr 2003, PLD at Repcio wrote:

> 
> Sprawdziłem na 2 maszynach z domyślną konfiguracja OpenSSH
> potwierdzone..
[..]
> 1. Abstract.
> 
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
> support enabled (via the --with-pam configure script switch). This bug allows a 
> remote attacker to identify valid users on vulnerable systems, through a simple
> timing attack. The vulnerability is easy to exploit and may have high severity,
> if combined with poor password policies and other security problems that allow 
> local privilege escalation.
> 
> 2. Example Attack Session.
> 
> root at voodoo:~# ssh [valid_user]@lab.mediaservice.net
> [valid_user]@lab.mediaservice.net's password:   <- arbitrary (non-null) string
> [2 secs delay]
> Permission denied, please try again.
> 
> root at voodoo:~# ssh [no_such_user]@lab.mediaservice.net
> [no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
> [no delay]
> Permission denied, please try again.

[kloczek at test1 rpm]$ ssh eciepecie at localhost
Password: 
Password: 
Password: 
eciepecie at localhost's password:			<=============
Permission denied, please try again.
eciepecie at localhost's password: 
Permission denied, please try again.
eciepecie at localhost's password: 
Received disconnect from 127.0.0.1: 2: Too many authentication failures for eciepecie

U nas krótszy czas przed ponownym logowaniem zaczyna sie dopiero w meijscu 
zaznaczonym.
Danie nodelay to takie średnie rozwiazanie.

Tak czy inaczje sprawa nie jest IMHO krytyczna.

kloczek
-- 
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek at rudy.mif.pg.gda.pl*