Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used

from [rembrandt] Network Security [Permanent Link]
Subject: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
Date: Sat, 21 Apr 2007 02:27:17 +0200 
Note to the Moderator: Sorry I send ya a Beta in the first mail :)

                     _   _ _____ _     ___ _____ _   _
                    / / / / ____/ /   /  _/_  __/ / / /
                   / /_/ / __/ / /    / /  / / / /_/ /
                  / __  / /___/ /____/ /  / / / __  /
                 /_/ /_/_____/_____/___/ /_/ /_/ /_/ 
                            Helith - 0815
--------------------------------------------------------------------------------

Author: Rembrandt
Date: Known since somewhere in 2005
Affected Software: OpenSSH 4.6 <=
                   Proppably everything which is based on OpenSSH
Type: Remote
Type: Enumeration of system accounts

Greets go to: Helith and all affiliated People, t3c0, levent, str0ke,
              The EOF-Crew, rrlf, herm1t, Solar Designer, softxor,
              Packetstorm (Todd, Emerson(Thanks for the Cohiba and beer))
              and others

--------------------------------------------------------------------------------


OpenSSH is vulnerable to an information leak which allows remote attackers
to gain informations about system accounts, in case S/KEY is used on the system.

If "ChallengeResponseAuthentication" is set to "Yes", which is the default
setting, SH allows the user to login by using S/KEY in the form of 
'ssh userid:skey@hostname'.

The normal behavior for SSH looks like this:

===============================================================================
alucard $ ssh user@somewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================

Passwordauthentication is disabled as you can see.
Now you can test about ChallangeResponseAuthentication.
If it`s enabled it will let you determine the existence of system accounts.

===============================================================================
alucard $ ssh user:skey@somewhere
otp-md5 99 some04578
S/Key Password:

alucard $
===============================================================================

If a account does not exist OpenSSH reacts like exspected.

===============================================================================
alucard $ ssh testuser:skey@somewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================


As you can see clearly OpenSSH discloses the existence of system accounts.
A possible solution for this problem would be to print a fake S/Key-Request
even for non existing users as well as it`s done with the 
Passwordauthentication.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [MU-200704-01] Pre-Authentication Vulnerability in Mac OS X RPC runtime library, noreply
Next by Date:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, Troy Cregger
Previous by Thread:  [Full-disclosure] [MU-200704-01] Pre-Authentication Vulnerability in Mac OS X RPC runtime library, noreply
Next by Thread:  Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used, Stanislaw Klekot
Indexes:  [Date] [Thread] [Top] [All Lists]