Security Advisory @ Mediaservice.net Srl (#01, 30/04/2003) Data Security Division Title: OpenSSH/PAM timing attack allows remote users identification Application: OpenSSH-portable <= 3.6.1p1 Platform: Linux, maybe others Description: A remote attacker can identify valid users on vulnerable systems, all PAM-enabled systems are potentially affected Author: Marco Ivaldi Contributors: Maurizio Agazzini , Solar Designer , Andrea Ghirardini Vendor Status: OpenSSH team notified on 12/04/2003, vendor-sec list notified on 28/04/2003 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0190 to this issue. References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190 1. Abstract. During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation. 2. Example Attack Session. root@voodoo:~# ssh [valid_user]@lab.mediaservice.net [valid_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string [2 secs delay] Permission denied, please try again. root@voodoo:~# ssh [no_such_user]@lab.mediaservice.net [no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string [no delay] Permission denied, please try again. 3. Affected Platforms. All vendors supporting Linux-PAM are potentially affected. This includes: * Debian GNU/Linux [confirmed in the default install] * Red Hat Linux [confirmed in the default install] * Mandrake Linux [confirmed in the default install] * SuSE Linux [not confirmed in the default install] * Caldera/SCO Linux [not confirmed in the default install] * Apple OS-X [not confirmed in the default install] * MSC.Linux [not confirmed in the default install] NOTE. FreeBSD uses both a different PAM implementation and a different PAM support in OpenSSH: it doesn't seem to be vulnerable to this particular timing leak issue. All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support enabled (./configure --with-pam) are vulnerable to this information leak. The PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config. 4. Fix. There is currently no complete fix to this. Moreover, there are many smaller timing leaks which too are easy to use to obtain the same information. These are primarily in OpenSSH and in the system libraries (getpwnam(3), NSS modules, and so on). Solving this kind of timing leaks requires a re-design of the authentication code paths (partially in OpenBSD tree and partially only in -portable). Solar Designer has written an OpenSSH-portable patch for Openwall GNU/*/Linux (http://www.openwall.com/Owl/) that makes OpenSSH always run PAM with password authentication, even for non-existent or not allowed usernames, thus fixing the bigger problem outlined in this advisory. Please note that this patch merely reduces the timing leaks without fully removing them. Other OpenSSH patches from the Owl project are available via: cvs -d :pserver:anoncvs:anoncvs@anoncvs.owl.openwall.com:/cvs co Owl/packages/openssh The OpenSSH team has released OpenSSH 3.6.1p2, which includes the changes introduced by Openwall GNU/*/Linux. All OpenSSH-portable users are encouraged to upgrade. Our team (with the contribution of Andrea Ghirardini) has been able to find a valid workaround for the specific timing leak mentioned in this advisory: just add the "nodelay" option to the pam_unix.so auth configuration. This is a modified (not vulnerable) configuration for Red Hat Linux (notice the "nodelay" option on line 2 of /etc/pam.d/system-auth): [root@redhat pam.d]# pwd /etc/pam.d [root@redhat pam.d]# cat sshd #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_limits.so session optional /lib/security/pam_console.so [root@redhat pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so 5. Proof Of Concept. The @ Mediaservice.net D.S.D. (Data Security Division) has developed a working proof of concept that automatically exploits this information leak issue. The source code is available for free download at: http://lab.mediaservice.net/code/ssh_brute.c http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved.