lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Feb 2004 23:37:50 +1100
From: Darren Tucker <dtucker@....com.au>
To: Scott J <mrbinary@...oo.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: AIX password enumeration possible


Scott J wrote:
[snippage]
> Abstract:           Remote password enumeration possible for
>                     accounts not permitted direct login in AIX
> Affected Systems:   AIX 4.3.3 and AIX 5.1, likely other levels of AIX
[...]
> Known Vulnerable:
> 
> AIX 4.3.3 maintenance level 10 applied - assume all levels of AIX 4.3.3
> AIX 5.1 maintenance level 4 applied - assume all levels of AIX 5.1
[...]
> Access methods tested and verified:
[...]
> ssh ( OpenSSH - no commercial SSH variant tested )
> 
> ++ Note: OpenSSH version most recently tested was the prepackaged version 
> for AIX 5.1 currently available (as of Feb. 2004) on DeveloperWorks at: 
> http://oss.software.ibm.com/developerworks/projects/opensshi 
> It's not known for certain if this weakness would exist for an in-house 
> compiled version of Portable OpenSSH on AIX but as the weakness is 
> believed to be in the response from the login program after authentication 
> has taken place, it would also likely be affected. Also, it makes no 
> difference if sshd is configured to allow or disallow root login via 
> the PermitRootLogin option.

Could you please elaborate how you were able to cause this behaviour
with OpenSSH's sshd?  (ssh -vvv and matching sshd -ddd would be very 
helpful, feel free to send those to me directly or post to the OpenSSH 
devel list: openssh-unix-dev at mindrot.org.)

An account with rlogin=false will cause the loginrestrictions test (in
getpwnamallow() in auth.c) to fail.  The remainder of the
authentications will consider the user "illegal" but should not give any
external indication of this.  You will see "3004-306 Remote logins are
not allowed for this account" on the server side if you have debugging
enabled, but this is (well, should) not sent to the user.

I tested "openssh361p2_51_patch.tar.Z" from the IBM site on 5.1 ML4 and 
was not able to reproduce the described behaviour with the default 
config.  The only way I could cause it was with the root account with 
PermitRootLogin=yes and UseLogin=yes.  PermitRootLogin=no prevented it, 
and UseLogin is not on by default (at least in the vanilla OpenSSH 
distribution).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


Powered by blists - more mailing lists