[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40320B1E.3000706@zip.com.au>
Date: Tue, 17 Feb 2004 23:37:50 +1100
From: Darren Tucker <dtucker@....com.au>
To: Scott J <mrbinary@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: AIX password enumeration possible
Scott J wrote:
[snippage]
> Abstract: Remote password enumeration possible for
> accounts not permitted direct login in AIX
> Affected Systems: AIX 4.3.3 and AIX 5.1, likely other levels of AIX
[...]
> Known Vulnerable:
>
> AIX 4.3.3 maintenance level 10 applied - assume all levels of AIX 4.3.3
> AIX 5.1 maintenance level 4 applied - assume all levels of AIX 5.1
[...]
> Access methods tested and verified:
[...]
> ssh ( OpenSSH - no commercial SSH variant tested )
>
> ++ Note: OpenSSH version most recently tested was the prepackaged version
> for AIX 5.1 currently available (as of Feb. 2004) on DeveloperWorks at:
> http://oss.software.ibm.com/developerworks/projects/opensshi
> It's not known for certain if this weakness would exist for an in-house
> compiled version of Portable OpenSSH on AIX but as the weakness is
> believed to be in the response from the login program after authentication
> has taken place, it would also likely be affected. Also, it makes no
> difference if sshd is configured to allow or disallow root login via
> the PermitRootLogin option.
Could you please elaborate how you were able to cause this behaviour
with OpenSSH's sshd? (ssh -vvv and matching sshd -ddd would be very
helpful, feel free to send those to me directly or post to the OpenSSH
devel list: openssh-unix-dev at mindrot.org.)
An account with rlogin=false will cause the loginrestrictions test (in
getpwnamallow() in auth.c) to fail. The remainder of the
authentications will consider the user "illegal" but should not give any
external indication of this. You will see "3004-306 Remote logins are
not allowed for this account" on the server side if you have debugging
enabled, but this is (well, should) not sent to the user.
I tested "openssh361p2_51_patch.tar.Z" from the IBM site on 5.1 ML4 and
was not able to reproduce the described behaviour with the default
config. The only way I could cause it was with the root account with
PermitRootLogin=yes and UseLogin=yes. PermitRootLogin=no prevented it,
and UseLogin is not on by default (at least in the vanilla OpenSSH
distribution).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Powered by blists - more mailing lists