Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4475
HistoryMay 03, 2003 - 12:00 a.m.

OpenSSH/PAM timing attack allows remote users identification

2003-05-0300:00:00
vulners.com
22

Security Advisory @ Mediaservice.net Srl
(#01, 30/04/2003) Data Security Division

     Title: OpenSSH/PAM timing attack allows remote users identification

Application: OpenSSH-portable <= 3.6.1p1
Platform: Linux, maybe others
Description: A remote attacker can identify valid users on vulnerable
systems, all PAM-enabled systems are potentially affected
Author: Marco Ivaldi <[email protected]>
Contributors: Maurizio Agazzini <[email protected]>,
Solar Designer <[email protected]>,
Andrea Ghirardini <[email protected]>
Vendor Status: OpenSSH team notified on 12/04/2003,
vendor-sec list notified on 28/04/2003
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
the name CAN-2003-0190 to this issue.
References: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190

  1. Abstract.

During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM
support enabled (via the --with-pam configure script switch). This bug allows a
remote attacker to identify valid users on vulnerable systems, through a simple
timing attack. The vulnerability is easy to exploit and may have high severity,
if combined with poor password policies and other security problems that allow
local privilege escalation.

  1. Example Attack Session.

root@voodoo:~# ssh [valid_user]@lab.mediaservice.net
[valid_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
[2 secs delay]
Permission denied, please try again.

root@voodoo:~# ssh [no_such_user]@lab.mediaservice.net
[no_such_user]@lab.mediaservice.net's password: <- arbitrary (non-null) string
[no delay]
Permission denied, please try again.

  1. Affected Platforms.

All vendors supporting Linux-PAM are potentially affected. This includes:

  • Debian GNU/Linux [confirmed in the default install]
  • Red Hat Linux [confirmed in the default install]
  • Mandrake Linux [confirmed in the default install]
  • SuSE Linux [not confirmed in the default install]
  • Caldera/SCO Linux [not confirmed in the default install]
  • Apple OS-X [not confirmed in the default install]
  • MSC.Linux [not confirmed in the default install]

NOTE. FreeBSD uses both a different PAM implementation and a different PAM
support in OpenSSH: it doesn't seem to be vulnerable to this particular timing
leak issue.

All OpenSSH-portable releases <= OpenSSH_3.6.1p1 compiled with PAM support
enabled (./configure --with-pam) are vulnerable to this information leak. The
PAMAuthenticationViaKbdInt directive doesn't need to be enabled in sshd_config.

  1. Fix.

There is currently no complete fix to this. Moreover, there are many smaller
timing leaks which too are easy to use to obtain the same information. These
are primarily in OpenSSH and in the system libraries (getpwnam(3), NSS modules,
and so on). Solving this kind of timing leaks requires a re-design of the
authentication code paths (partially in OpenBSD tree and partially only in
-portable).

Solar Designer has written an OpenSSH-portable patch for Openwall GNU/*/Linux
(http://www.openwall.com/Owl/&#41; that makes OpenSSH always run PAM with password
authentication, even for non-existent or not allowed usernames, thus fixing the
bigger problem outlined in this advisory. Please note that this patch merely
reduces the timing leaks without fully removing them. Other OpenSSH patches
from the Owl project are available via:

cvs -d :pserver:anoncvs:[email protected]:/cvs co Owl/packages/openssh

The OpenSSH team has released OpenSSH 3.6.1p2, which includes the changes
introduced by Openwall GNU/*/Linux. All OpenSSH-portable users are encouraged
to upgrade.

Our team (with the contribution of Andrea Ghirardini) has been able to find a
valid workaround for the specific timing leak mentioned in this advisory: just
add the "nodelay" option to the pam_unix.so auth configuration.

This is a modified (not vulnerable) configuration for Red Hat Linux (notice
the "nodelay" option on line 2 of /etc/pam.d/system-auth):

[root@redhat pam.d]# pwd
/etc/pam.d
[root@redhat pam.d]# cat sshd
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
[root@redhat pam.d]# cat system-auth
#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

  1. Proof Of Concept.

The @ Mediaservice.net D.S.D. (Data Security Division) has developed a working
proof of concept that automatically exploits this information leak issue. The
source code is available for free download at:

http://lab.mediaservice.net/code/ssh_brute.c
http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff

Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved.

Related for SECURITYVULNS:DOC:4475