openssh-disclose.txt

openssh-disclose.txt: Posted Apr 23, 2007; Authored by Rembrandt; System account enumeration is possible when OpenSSH versions 4.6 and below have ChallengeResponseAuthentication enabled (S/KEY).; tags | advisory, info disclosure; SHA-256 | 1ff367e663ad5227576fda522c34ea8d41163498f44a0745cfb6727e9de28a90; Download | Favorite | View

openssh-disclose.txt

                     _   _ _____ _     ___ _____ _   _
                   / / / / ____/ /   /  _/_  __/ / / /
                  / /_/ / __/ / /    / /  / / / /_/ /
                 / __  / /___/ /____/ /  / / / __  /
                /_/ /_/_____/_____/___/ /_/ /_/ /_/
                           Helith - 0815
--------------------------------------------------------------------------------


Author: Rembrandt
Date: Known since somewhere in 2005
Affected Software: OpenSSH 4.6 <=
                  Proppably everything which is based on OpenSSH
Type: Remote
Type: Enumeration of system accounts

Greets go to: Helith and all affiliated People, t3c0, levent, str0ke,
             The EOF-Crew, rrlf, herm1t, Solar Designer, softxor,
             Packetstorm (Todd, Emerson(Thanks for the Cohiba and beer))
             and others

--------------------------------------------------------------------------------



OpenSSH is vulnerable to an information leak which allows remote attackers
to gain informations about system accounts, in case S/KEY is used on the system.

If "ChallengeResponseAuthentication" is set to "Yes", which is the default
setting, SH allows the user to login by using S/KEY in the form of
'ssh userid:skey@hostname'.

The normal behavior for SSH looks like this:

===============================================================================
alucard $ ssh user@somewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================

Passwordauthentication is disabled as you can see.
Now you can test about ChallangeResponseAuthentication.
If it`s enabled it will let you determine the existence of system accounts.

===============================================================================
alucard $ ssh user:skey@somewhere
otp-md5 99 some04578
S/Key Password:

alucard $
===============================================================================

If a account does not exist OpenSSH reacts like exspected.

===============================================================================
alucard $ ssh testuser:skey@somewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================


As you can see clearly OpenSSH discloses the existence of system accounts.
A possible solution for this problem would be to print a fake S/Key-Request
even for non existing users as well as it`s done with the
Passwordauthentication.

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

openssh-disclose.txt

openssh-disclose.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

openssh-disclose.txt

Share This

openssh-disclose.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems