OpenSSH配置错误漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1200821 漏洞类型 配置错误
发布时间 2004-12-31 更新时间 2004-12-31
CVE编号 CVE-2004-2760 CNNVD-ID CNNVD-200412-1221
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/90340
https://cxsecurity.com/issue/WLB-2008080108
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1221
|漏洞详情
OpenSSH3.5p1版本中的sshd存在漏洞。当PermitRootLogin被启用时,该漏洞在用正确密码尝试登录之后立即关闭TCP连接,但是用不正确的密码尝试之后会保持连接打开,远程攻击者可以更容易通过观察连接状态来猜测密码,该漏洞不同于CVE-2003-0190。
|漏洞EXP
"Felipe Neuwald" <felipe.neuwald (at) loreno.com (dot) br [email concealed]> writes:
> felipe@worm felipe $ ssh -l root host
> Password:
> Password:
> Password:
> root@host's password:
> Permission denied, please try again.
> root@host's password:
> Permission denied, please try again.
> root@host's password:
> Permission denied (publickey,password,keyboard-interactive).

The first three prompts you see here are from PAM (working through
keyboard-interactive authentication), and the last three from password
authentication.  You probably shouldn't have both enabled at the same
time (though they are both enabled by default for historical reasons).
This is not really relevant to you problem, though.

> And now, trying login as root to the system, but typing the correct
> password:
>
> felipe@worm felipe $ ssh -l root host
> Password:
> Connection to host closed by remote host.
> Connection to host closed.

This is an old bug in OpenSSH which has been fixed in more recent
versions.

> It's easy to make one little program to discover with bruteforce the
> correct password of the root login.

True, but it would be *very* slow, and it would fill the target
system's logs with warnings from sshd.

Brute-forcing a good N-character password takes about 60^N / 2
attempts on average.  The effective limit on password length in
FreeBSD, provided you use MD5 passwords (which is the default), is
somewhere north of 500 characters (imposed by the PAM conversation
API's 512-byte limit on prompts and responses)

> But... why still FreeBSD-STABLE are running this version of OpenSSH?

Because newer versions don't support Kerberos 4, and we don't want to
de-support Kerberos 4 so late in the RELENG_4 branch's life cycle.
FreeBSD 5, on the other hand, does not support Kerberos 4 (we dropped
it a year ago almost to the day), and has OpenSSH 3.8p1.  I have
verified that it does not exhibit the bug you found in -STABLE.

You could try to install OpenSSH 3.8 from ports, but I've had several
reports of problems with DSA host keys when using the port.

BTW, in the future, I would appreciate if you could raise issues such
as this on the freebsd-security (at) freebsd (dot) org [email concealed] mailing list before taking
them to BUGTRAQ.

DES
-- 
Dag-Erling Sm?rgrav - des (at) des (dot) no [email concealed]
|参考资料

来源:BUGTRAQ
名称:20040413Re:Fwd:[BID7482,buginOpenSSH(StillinFreeBSD-STABLE)]
链接:http://www.securityfocus.com/archive/1/360198
来源:SREASON
名称:4100
链接:http://securityreason.com/securityalert/4100
来源:BUGTRAQ
名称:20040412BID7482,buginOpenSSH(StillinFreeBSD-STABLE)
链接:http://archive.cert.uni-stuttgart.de/bugtraq/2004/04/msg00162.html