Date: Mon, 9 Oct 2006 12:33:05 +0200 (CEST)
From: Marco Ivaldi <raptor@0xdeadbeef.info.>
To: [email protected]Subject: yet another OpenSSH timing leak?
Message-ID: <Pine.BSO.4.63.0609301537050.27887@shinobi.blackhats.it.>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-1802798359-1160125053=:32486"
Content-ID: <Pine.BSO.4.63.0610061558220.3691@shinobi.blackhats.it.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1802798359-1160125053=:32486
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; FORMAT=flowed
Content-ID: <Pine.BSO.4.63.0610061558221.3691@shinobi.blackhats.it.>
Hello Bugtraq,
Here we are again... During a recent penetration test i stumbled upon yet
another OpenSSH timing leak, leading to remote disclosure of valid
usernames. It's not as big as the one i found in the past (CVE-2003-0190),
but it can indeed be exploited over the Internet, nevertheless.
This time, OpenSSH-portable apparently introduces a small delay (see
attached transcript for details) when verifying access credentials for
users with a password set: it doesn't matter if they don't have a valid
shell or login has been disabled through an sshd_config directive.
So far, i've not been able to determine the root cause of this exposure
and i've reproduced it only on some fully-patched SUSE Linux 10.0 boxes
(OpenSSH_4.1 + SUSE patches, both protocols 1 and 2 are affected, with or
without PAM authentication), therefore it may be a SUSE-specific and/or a
configuration-dependant flaw (latest tests on some freshly installed SUSE
systems didn't show the flawed behaviour).
That said, there are probably other timing leaks involving third-party
patches (x509 certs, LDAP, and so on), logging, and custom configurations,
as well as other ways in which valid usernames may be probed for (i.e.,
with RSA/DSA authentication) -- thus i decided to release a small script
for testing timing patterns in sshd replies:
http://www.0xdeadbeef.info/code/sshtime
It needs expect, and target ssh hostkey must be already added. I'd be very
interested in knowing the results of tests performed on other distros and
configurations.
Thanks to Solar Designer and Andrea Barisani for the interesting
discussion on this topic.
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
--0-1802798359-1160125053=:32486
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=yet-another-openssh-timing-leak.txt
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSO.4.63.0610061602300.3691@shinobi.blackhats.it.>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME=yet-another-openssh-timing-leak.txt
cmFwdG9yQHBhbmRvcmE6fiQgIw0KcmFwdG9yQHBhbmRvcmE6fiQgIyBPdmVy
IDEwMCBNYnBzIExBTiAoc2xvdyBjb21wdXRlcikNCnJhcHRvckBwYW5kb3Jh
On4kICMNCnJhcHRvckBwYW5kb3JhOn4kIC4vc3NodGltZSAyLm1lZGlhc2Vy
dmljZS5uZXQgc21hbGxkaWN0IA0KDQpzc2h0aW1lIHYwLjEgLSBTaW1wbGUg
T3BlblNTSCByZW1vdGUgdGltaW5nIGF0dGFjayB0b29sDQpDb3B5cmlnaHQg
KGMpIDIwMDYgTWFyY28gSXZhbGRpIDxyYXB0b3JAMHhkZWFkYmVlZi5pbmZv
Pg0KDQphZG1pbkAyLm1lZGlhc2VydmljZS5uZXQgICAgICAgICAgICAgIHJl
YWwgMC4xMw0KZnRwQDIubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICAg
ICByZWFsIDAuMTMNCm1lZGlhQDIubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAg
ICAgICAgcmVhbCAwLjgwCTwtIHZhbGlkIHVzZXIgd2l0aCBzaGVsbA0Kbm9i
b2R5QDIubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICByZWFsIDAuMTMN
CnJhcHRvckAyLm1lZGlhc2VydmljZS5uZXQgICAgICAgICAgICAgcmVhbCAw
LjEzDQpyb290QDIubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICAgIHJl
YWwgMC43OQk8LSB2YWxpZCB1c2VyIHdpdGggc2hlbGwNCnRlc3RAMi5tZWRp
YXNlcnZpY2UubmV0ICAgICAgICAgICAgICAgcmVhbCAwLjEzDQp3d3dydW5A
Mi5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAgIHJlYWwgMC4xNA0KDQpy
YXB0b3JAcGFuZG9yYTp+JCAjDQpyYXB0b3JAcGFuZG9yYTp+JCAjIDEwMCBN
YnBzIExBTiAoZmFzdGVyIGNvbXB1dGVyKQ0KcmFwdG9yQHBhbmRvcmE6fiQg
Iw0KcmFwdG9yQHBhbmRvcmE6fiQgLi9zc2h0aW1lIDMubWVkaWFzZXJ2aWNl
Lm5ldCBzbWFsbGRpY3QgDQoNCnNzaHRpbWUgdjAuMSAtIFNpbXBsZSBPcGVu
U1NIIHJlbW90ZSB0aW1pbmcgYXR0YWNrIHRvb2wNCkNvcHlyaWdodCAoYykg
MjAwNiBNYXJjbyBJdmFsZGkgPHJhcHRvckAweGRlYWRiZWVmLmluZm8+DQoN
CmFkbWluQDMubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICAgcmVhbCAw
LjA5DQpmdHBAMy5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAgICAgIHJl
YWwgMC4wOQ0KbWVkaWFAMy5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAg
ICByZWFsIDAuMzIJPC0gdmFsaWQgdXNlciB3aXRoIHNoZWxsDQpub2JvZHlA
My5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAgIHJlYWwgMC4wOQ0KcmFw
dG9yQDMubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICByZWFsIDAuMDkN
CnJvb3RAMy5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAgICAgcmVhbCAw
LjMyCTwtIHZhbGlkIHVzZXIgd2l0aCBzaGVsbA0KdGVzdEAzLm1lZGlhc2Vy
dmljZS5uZXQgICAgICAgICAgICAgICByZWFsIDAuMDkNCnd3d3J1bkAzLm1l
ZGlhc2VydmljZS5uZXQgICAgICAgICAgICAgcmVhbCAwLjA5DQoNCnJhcHRv
ckBwYW5kb3JhOn4kICMNCnJhcHRvckBwYW5kb3JhOn4kICMgT3ZlciB0aGUg
SW50ZXJuZXQNCnJhcHRvckBwYW5kb3JhOn4kICMNCnJhcHRvckBwYW5kb3Jh
On4kIC4vc3NodGltZSA0Lm1lZGlhc2VydmljZS5uZXQgc21hbGxkaWN0IA0K
DQpzc2h0aW1lIHYwLjEgLSBTaW1wbGUgT3BlblNTSCByZW1vdGUgdGltaW5n
IGF0dGFjayB0b29sDQpDb3B5cmlnaHQgKGMpIDIwMDYgTWFyY28gSXZhbGRp
IDxyYXB0b3JAMHhkZWFkYmVlZi5pbmZvPg0KDQphZG1pbkA0Lm1lZGlhc2Vy
dmljZS5uZXQgICAgICAgICAgICAgIHJlYWwgMS4yMg0KZnRwQDQubWVkaWFz
ZXJ2aWNlLm5ldCAgICAgICAgICAgICAgICByZWFsIDEuMTcNCm1lZGlhQDQu
bWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICAgcmVhbCAxLjIyDQpub2Jv
ZHlANC5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAgIHJlYWwgMS4xNw0K
cmFwdG9yQDQubWVkaWFzZXJ2aWNlLm5ldCAgICAgICAgICAgICByZWFsIDEu
MjINCnJvb3RANC5tZWRpYXNlcnZpY2UubmV0ICAgICAgICAgICAgICAgcmVh
bCAxLjc3CTwtIHZhbGlkIHVzZXIgd2l0aCBzaGVsbA0KdGVzdEA0Lm1lZGlh
c2VydmljZS5uZXQgICAgICAgICAgICAgICByZWFsIDEuMjcNCnd3d3J1bkA0
Lm1lZGlhc2VydmljZS5uZXQgICAgICAgICAgICAgcmVhbCAxLjc3CTwtIHZh
bGlkIHVzZXIgd2l0aG91dCBzaGVsbA0KDQpyYXB0b3JAcGFuZG9yYTp+JCAN
Cg==
--0-1802798359-1160125053=:32486--
