lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <407BD1F3.9080304@mindrot.org>
Date: Tue, 13 Apr 2004 21:41:39 +1000
From: Damien Miller <djm@...drot.org>
To: Felipe Neuwald <felipe.neuwald@...eno.com.br>
Cc: bugtraq@...urityfocus.com
Subject: Re: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)


BTW this is an old bug, that was discussed on bugtraq last year.

Felipe Neuwald wrote:
> Hello Folks,
> 
> I tested only versions OpenSSH_3.5p1 (FreeBSD-STABLE), but it also work
> on other versions, as published May 01, 2003.

This bug existed in the PAM code of portable OpenSSH (not the OpenBSD
version), and was fixed before 3.7p1.

> It's easy to make one little program to discover with bruteforce the
> correct password of the root login. If the attacker have physical access
> to the system, it's very easy own the system.

You will likely be waiting a good while to guess any non-trivial
password.

This bug only exposes additional information when you find the
correct root password. You still have to search the entire keyspace with
no feedback to speed the search and you will have to reconnect every
three guesses.

Therefore, I don't agree that the impact of this old bug would make it
"very easy to own the system".

-d


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ