lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 9 Oct 2006 12:33:05 +0200 (CEST)
From: Marco Ivaldi <raptor@...eadbeef.info>
To: bugtraq@...urityfocus.com
Subject: yet another OpenSSH timing leak?

Hello Bugtraq,

Here we are again... During a recent penetration test i stumbled upon yet 
another OpenSSH timing leak, leading to remote disclosure of valid 
usernames. It's not as big as the one i found in the past (CVE-2003-0190),
but it can indeed be exploited over the Internet, nevertheless.

This time, OpenSSH-portable apparently introduces a small delay (see 
attached transcript for details) when verifying access credentials for 
users with a password set: it doesn't matter if they don't have a valid 
shell or login has been disabled through an sshd_config directive.

So far, i've not been able to determine the root cause of this exposure 
and i've reproduced it only on some fully-patched SUSE Linux 10.0 boxes
(OpenSSH_4.1 + SUSE patches, both protocols 1 and 2 are affected, with or 
without PAM authentication), therefore it may be a SUSE-specific and/or a
configuration-dependant flaw (latest tests on some freshly installed SUSE
systems didn't show the flawed behaviour).

That said, there are probably other timing leaks involving third-party 
patches (x509 certs, LDAP, and so on), logging, and custom configurations, 
as well as other ways in which valid usernames may be probed for (i.e., 
with RSA/DSA authentication) -- thus i decided to release a small script 
for testing timing patterns in sshd replies:

http://www.0xdeadbeef.info/code/sshtime

It needs expect, and target ssh hostkey must be already added. I'd be very 
interested in knowing the results of tests performed on other distros and 
configurations.

Thanks to Solar Designer and Andrea Barisani for the interesting 
discussion on this topic.

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707
View attachment "yet-another-openssh-timing-leak.txt" of type "TEXT/PLAIN" (2161 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ