OpenSSH S/Key 远程信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190844 漏洞类型 授权问题
发布时间 2007-04-25 更新时间 2007-04-26
CVE编号 CVE-2007-2243 CNNVD-ID CNNVD-200704-479
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040138
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-479
|漏洞详情
当ChallengeResponseAuthentication被启用时,OpenSSH允许远程攻击者借助S/KEY,试图进行鉴别,从而决定用户帐户的位置。如果用户帐户存在的话,这会显示不同的响应。
|漏洞EXP
Author		 : Rembrandt
Date		 : 2007-04-21
Affected Software: openssh (propably other implementations as well)
Affected OS	 : any
Type		 : Information Disclosure

OSVDB		 : 34600
CVE		 : 2007-2243
ISS X-Force:	 : 33794
BID		 : 23601


OpenSSH, when configured to use S/KEY authentication, is prone to a remote
information disclosure weakness. The issue occurs due to the S/KEY 
challenge/response system being used for valid accounts. If a remote attacker
systematically attempsauthentication against a list of usernames, he can watch
the response to determine which accounts are valid.

If "ChallengeResponseAuthentication" is set to "Yes", which is the default
setting, OpenSSH allows the user to login by using S/KEY in the form of
'ssh userid:skey at hostname'.


Steps to reproduce:

$ ssh user@somewhere
Permission denied (publickey,keyboard-interactive).
$ ssh user:skey@somewhere  
otp-md5 99 some04578
S/Key Password:
               
$  


If the useraccount exist but is not configured to use S/KEY or if the 
useraccount does not exist at the specific system the response looks normal.


$ ssh testuser:skey@somewhere
Permission denied (publickey,keyboard-interactive).       


As you can see clearly OpenSSH discloses the existence of system accounts.


Kind regards,
Rembrandt     
|参考资料

来源:XF
名称:openssh-challenge-information-disclosure(33794)
链接:http://xforce.iss.net/xforce/xfdb/33794
来源:BID
名称:23601
链接:http://www.securityfocus.com/bid/23601
来源:OSVDB
名称:34600
链接:http://www.osvdb.org/34600
来源:SREASON
名称:2631
链接:http://securityreason.com/securityalert/2631
来源:FULLDISC
名称:20070424OpenSSH-SystemAccountEnumerationifS/Keyisused
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html
来源:FULLDISC
名称:20070421OpenSSH-SystemAccountEnumerationifS/Keyisused
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html