[Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used



Note to the Moderator: Sorry I send ya a Beta in the first mail :)

_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
--------------------------------------------------------------------------------

Author: Rembrandt
Date: Known since somewhere in 2005
Affected Software: OpenSSH 4.6 <=
Proppably everything which is based on OpenSSH
Type: Remote
Type: Enumeration of system accounts

Greets go to: Helith and all affiliated People, t3c0, levent, str0ke,
The EOF-Crew, rrlf, herm1t, Solar Designer, softxor,
Packetstorm (Todd, Emerson(Thanks for the Cohiba and beer))
and others

--------------------------------------------------------------------------------


OpenSSH is vulnerable to an information leak which allows remote attackers
to gain informations about system accounts, in case S/KEY is used on the system.

If "ChallengeResponseAuthentication" is set to "Yes", which is the default
setting, SH allows the user to login by using S/KEY in the form of
'ssh userid:skey@hostname'.

The normal behavior for SSH looks like this:

===============================================================================
alucard $ ssh user@somewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================

Passwordauthentication is disabled as you can see.
Now you can test about ChallangeResponseAuthentication.
If it`s enabled it will let you determine the existence of system accounts.

===============================================================================
alucard $ ssh user:skey@somewhere
otp-md5 99 some04578
S/Key Password:

alucard $
===============================================================================

If a account does not exist OpenSSH reacts like exspected.

===============================================================================
alucard $ ssh testuser:skey@somewhere
Permission denied (publickey,keyboard-interactive).
===============================================================================


As you can see clearly OpenSSH discloses the existence of system accounts.
A possible solution for this problem would be to print a fake S/Key-Request
even for non existing users as well as it`s done with the
Passwordauthentication.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used
    ... Proppably everything which is based on OpenSSH ... Type: Enumeration of system accounts ... This is bogus and old, ...
    (Full-Disclosure)
  • Re: Recent OpenSSH releases not reading .bashrc for ssh commands
    ... their .bashrc will no longer get them without engaging in..... ... ssh can invoke bash without it then reading .bashrc. ... which svn", the .bashrc is no longer read. ... you're on RHEL 5, you've installed an updated OpenSSH, and you try to ...
    (comp.security.ssh)
  • Re: two SSH compatibility scenarios: can it work?
    ... We are required to use SSH to log into the Engineering lab machines. ... > server software displays this header upon telnet connection to port 22. ... I still use Windows on my notebook for application compatibility. ... > running OpenSSH 3.4p1. ...
    (comp.security.ssh)
  • Re: OpenSSH, Telnet, Windows Authentication and double-hops
    ... deployment on a Windows network. ... Does this mean that you are setting SSH port forwarding ... does not provide the other side with either a Kerberos ticket, ... We're focusing on the OpenSSH for Windows distribution. ...
    (comp.security.ssh)
  • Re: ssh compatability issues
    ... >> without keeping two versions of ssh around on my home computer. ... running the OpenSSH server that comes with Solaris ... By 'some old security problems with that' I was not sure if you meant ...
    (comp.security.ssh)