Date: Mon, 12 Apr 2004 09:07:51 -0300
From: Felipe Neuwald <[email protected]>
To: [email protected]Subject: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)
--=-JgRIg+8linuN5R8irt29
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello Folks,
I tested only versions OpenSSH_3.5p1 (FreeBSD-STABLE), but it also work
on other versions, as published May 01, 2003.
Ok, let's talk about it. First, the /etc/ssh/sshd_config file:
<cut>
PermitRootLogin no
<cut>
As you can see above, is not allowed to root login on that system. Fine.
Now, trying login as root to the system, and type the wrong password:
felipe@worm felipe $ ssh -l root host
Password:
Password:
Password:
root@host's password:
Permission denied, please try again.
root@host's password:
Permission denied, please try again.
root@host's password:
Permission denied (publickey,password,keyboard-interactive).
And now, trying login as root to the system, but typing the correct
password:
felipe@worm felipe $ ssh -l root host
Password:
Connection to host closed by remote host.
Connection to host closed.
It's easy to make one little program to discover with bruteforce the
correct password of the root login. If the attacker have physical access
to the system, it's very easy own the system.
But... why still FreeBSD-STABLE are running this version of OpenSSH?
--=20
Felipe Neuwald
[email protected]
+55 61 3038-5038
+55 61 9557-6870
------
Chave p=FAblica PGP / PGP public key:
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x8AE508F3
--=-JgRIg+8linuN5R8irt29
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem
assinada digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBAeoaXsS/x64rlCPMRAjWTAKCuAXN4dzxv4kt2yPg26UJhURmspwCfd+bI
eSdG7/a7BNVv3Kxddcgq6Ho=
=/Zx5
-----END PGP SIGNATURE-----
--=-JgRIg+8linuN5R8irt29--
