lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.30L2.0304301358220.9889-200000@dns.mediaservice.net>
From: raptor at mediaservice.net (Marco Ivaldi)
Subject: OpenSSH/PAM timing attack allows remote users identification

Hi all,

See attached advisory.

--
Marco Ivaldi
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


-------------- next part --------------
Security Advisory 					@ Mediaservice.net Srl
(#01, 30/04/2003)					Data Security Division

         Title:	OpenSSH/PAM timing attack allows remote users identification
   Application:	OpenSSH-portable <= 3.6.1p1
      Platform:	Linux, maybe others
   Description:	A remote attacker can identify valid users on vulnerable
		systems, all PAM-enabled systems are potentially affected
        Author:	Marco Ivaldi <raptor@...iaservice.net>
  Contributors: Maurizio Agazzini <inode@...iaservice.net>,
		Solar Designer <solar@...nwall.com>,
		Andrea Ghirardini <pila@...asecurity.com>
 Vendor Status: OpenSSH team notified on 12/04/2003,
		vendor-sec list notified on 28/04/2003
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
		the name CAN-2003-0190 to this issue.
    References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190

1. Abstract.

During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
support enabled (via the --with-pam configure script switch). This bug allows a 
remote attacker to identify valid users on vulnerable systems, through a simple
timing attack. The vulnerability is easy to exploit and may have high severity,
if combined with poor password policies and other security problems that allow 
local privilege escalation.

2. Example Attack Session.

root@...doo:~# ssh [valid_user]@lab.mediaservice.net
[valid_user]@lab.mediaservice.net's password:	<- arbitrary (non-null) string
[2 secs delay]
Permission denied, please try again.

root@...doo:~# ssh [no_such_user]@lab.mediaservice.net
[no_such_user]@lab.mediaservice.net's password:	<- arbitrary (non-null) string
[no delay]
Permission denied, please try again.

3. Affected Platforms.

All vendors supporting Linux-PAM are potentially affected. This includes:

* Debian GNU/Linux		[confirmed in the default install]
* Red Hat Linux			[confirmed in the default install]
* Mandrake Linux		[confirmed in the default install]
* SuSE Linux 			[not confirmed in the default install]
* Caldera/SCO Linux		[not confirmed in the default install]
* Apple OS-X			[not confirmed in the default install]
* MSC.Linux			[not confirmed in the default install]

NOTE. FreeBSD uses both a different PAM implementation and a different PAM
support in OpenSSH: it doesn't seem to be vulnerable to this particular timing
leak issue.

All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support 
enabled (./configure --with-pam) are vulnerable to this information leak. The
PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config.

4. Fix.

There is currently no complete fix to this. Moreover, there are many smaller 
timing leaks which too are easy to use to obtain the same information. These 
are primarily in OpenSSH and in the system libraries (getpwnam(3), NSS modules, 
and so on). Solving this kind of timing leaks requires a re-design of the 
authentication code paths (partially in OpenBSD tree and partially only in 
-portable).

Solar Designer has written an OpenSSH-portable patch for Openwall GNU/*/Linux
(http://www.openwall.com/Owl/) that makes OpenSSH always run PAM with password
authentication, even for non-existent or not allowed usernames, thus fixing the
bigger problem outlined in this advisory. Please note that this patch merely
reduces the timing leaks without fully removing them. Other OpenSSH patches 
from the Owl project are available via:

cvs -d :pserver:anoncvs:anoncvs@...ncvs.owl.openwall.com:/cvs co Owl/packages/openssh

The OpenSSH team has released OpenSSH 3.6.1p2, which includes the changes
introduced by Openwall GNU/*/Linux. All OpenSSH-portable users are encouraged
to upgrade.

Our team (with the contribution of Andrea Ghirardini) has been able to find a 
valid workaround for the specific timing leak mentioned in this advisory: just
add the "nodelay" option to the pam_unix.so auth configuration.  

This is a modified (not vulnerable) configuration for Red Hat Linux (notice
the "nodelay" option on line 2 of /etc/pam.d/system-auth):

[root@...hat pam.d]# pwd
/etc/pam.d
[root@...hat pam.d]# cat sshd
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
[root@...hat pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok nodelay
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

5. Proof Of Concept.

The @ Mediaservice.net D.S.D. (Data Security Division) has developed a working
proof of concept that automatically exploits this information leak issue. The
source code is available for free download at:

http://lab.mediaservice.net/code/ssh_brute.c
http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff

Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ