Fwd: [raptor@mediaservice.net: OpenSSH/PAM timing attack allows remote users identification]

PLD@Repcio pld w main.repcio.net
Śro, 30 Kwi 2003, 18:59:47 CEST


Sprawdziłem na 2 maszynach z domyślną konfiguracja OpenSSH
potwierdzone..

----- Forwarded message from Marco Ivaldi <raptor w mediaservice.net> -----

From: Marco Ivaldi <raptor w mediaservice.net>
To: <bugtraq w securityfocus.com>
Date: Wed, 30 Apr 2003 16:34:27 +0200 (CEST)
Subject: OpenSSH/PAM timing attack allows remote users identification
Posted-Date: Wed, 30 Apr 2003 18:34:42 +0200
Mailing-List: contact bugtraq-help w securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq w securityfocus.com>
List-Help: <mailto:bugtraq-help w securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe w securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe w securityfocus.com>
Delivered-To: mailing list bugtraq w securityfocus.com
Delivered-To: moderator for bugtraq w securityfocus.com

Security Advisory                                       @ Mediaservice.net Srl
(#01, 30/04/2003)                                       Data Security Division

         Title: OpenSSH/PAM timing attack allows remote users identification
   Application: OpenSSH-portable <= 3.6.1p1
      Platform: Linux, maybe others
   Description: A remote attacker can identify valid users on vulnerable
                systems, all PAM-enabled systems are potentially affected
        Author: Marco Ivaldi <raptor w mediaservice.net>
  Contributors: Maurizio Agazzini <inode w mediaservice.net>,
                Solar Designer <solar w openwall.com>,
                Andrea Ghirardini <pila w pilasecurity.com>
 Vendor Status: OpenSSH team notified on 12/04/2003,
                vendor-sec list notified on 28/04/2003
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
                the name CAN-2003-0190 to this issue.
    References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190

1. Abstract.

During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
support enabled (via the --with-pam configure script switch). This bug allows a 
remote attacker to identify valid users on vulnerable systems, through a simple
timing attack. The vulnerability is easy to exploit and may have high severity,
if combined with poor password policies and other security problems that allow 
local privilege escalation.

2. Example Attack Session.

root w voodoo:~# ssh [valid_user]@lab.mediaservice.net
[valid_user]@lab.mediaservice.net's password:   <- arbitrary (non-null) string
[2 secs delay]
Permission denied, please try again.

root w voodoo:~# ssh [no_such_user]@lab.mediaservice.net
[no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
[no delay]
Permission denied, please try again.

3. Affected Platforms.

All vendors supporting Linux-PAM are potentially affected. This includes:

* Debian GNU/Linux              [confirmed in the default install]
* Red Hat Linux                 [confirmed in the default install]
* Mandrake Linux                [confirmed in the default install]
* SuSE Linux                    [not confirmed in the default install]
* Caldera/SCO Linux             [not confirmed in the default install]
* Apple OS-X                    [not confirmed in the default install]
* MSC.Linux                     [not confirmed in the default install]

NOTE. FreeBSD uses both a different PAM implementation and a different PAM
support in OpenSSH: it doesn't seem to be vulnerable to this particular timing
leak issue.

All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support 
enabled (./configure --with-pam) are vulnerable to this information leak. The
PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config.

4. Fix.

There is currently no complete fix to this. Moreover, there are many smaller 
timing leaks which too are easy to use to obtain the same information. These 
are primarily in OpenSSH and in the system libraries (getpwnam(3), NSS modules, 
and so on). Solving this kind of timing leaks requires a re-design of the 
authentication code paths (partially in OpenBSD tree and partially only in 
-portable).

Solar Designer has written an OpenSSH-portable patch for Openwall GNU/*/Linux
(http://www.openwall.com/Owl/) that makes OpenSSH always run PAM with password
authentication, even for non-existent or not allowed usernames, thus fixing the
bigger problem outlined in this advisory. Please note that this patch merely
reduces the timing leaks without fully removing them. Other OpenSSH patches 
from the Owl project are available via:

cvs -d :pserver:anoncvs:anoncvs w anoncvs.owl.openwall.com:/cvs co Owl/packages/openssh

The OpenSSH team has released OpenSSH 3.6.1p2, which includes the changes
introduced by Openwall GNU/*/Linux. All OpenSSH-portable users are encouraged
to upgrade.

Our team (with the contribution of Andrea Ghirardini) has been able to find a 
valid workaround for the specific timing leak mentioned in this advisory: just
add the "nodelay" option to the pam_unix.so auth configuration.  

This is a modified (not vulnerable) configuration for Red Hat Linux (notice
the "nodelay" option on line 2 of /etc/pam.d/system-auth):

[root w redhat pam.d]# pwd
/etc/pam.d
[root w redhat pam.d]# cat sshd
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
[root w redhat pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok nodelay
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

5. Proof Of Concept.

The @ Mediaservice.net D.S.D. (Data Security Division) has developed a working
proof of concept that automatically exploits this information leak issue. The
source code is available for free download at:

http://lab.mediaservice.net/code/ssh_brute.c
http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff

Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved.


----- End forwarded message -----


-- 
Pozdrowienia,
 PLD                            mailto:pld w main.repcio.net
-------------- następna część ---------
Załączona wiadomość została usunięta...
From: "=?iso-8859-2?Q?Przemysław?Subject: [raptor w mediaservice.net: OpenSSH/PAM timing attack allows remote users identification]
Date: Wed, 30 Apr 2003 18:55:09 +0200
Size: 7889
Url: /mailman/pipermail/pld-devel-pl/attachments/20040626/df44cf2f/1.mht


Więcej informacji o liście dyskusyjnej pld-devel-pl