[UNIX] OpenSSH 3.4p1 Allows Revealing of Password (Privsep Feature)
From: support@securiteam.comDate: 09/18/02
- Previous message: support@securiteam.com: "[NT] Sygate Personal Firewall 5.0 IP Spoofing Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 18 Sep 2002 15:00:03 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
OpenSSH 3.4p1 Allows Revealing of Password (Privsep Feature)
------------------------------------------------------------------------
SUMMARY
During authentication, OpenSSH 3.4p1 with privsep enabled passes the
cleartext password from the main process to the privsep child using a
pipe. Using strace or truss, root can see the user's plaintext password
flying by. Andrew observed this behavior from OpenSSH 3.4p1 built using
GCC on Solaris 2.8 and the current Debian OpenSSH 3.4p1 package.
DETAILS
The level of effort to determine clear text passwords, for even the most
inexperienced UNIX administrator, is almost zero given the above. Andrew
realizes that no matter how you slice it, it will be possible for root to
grab the password from wherever it is stored in memory. Alternatively,
recompile SSHd to log the password, or any number of other ways. However,
the methods Andrew just mentioned all require someone with significantly
more know how than:
truss -fp `cat /var/run/sshd.pid`
Vendor response:
Theo and Markus told Andrew that this is not an issue. Theo says that you
cannot prevent root from determining a user's password. Andrew does not
disagree but asked why OpenBSD bothers to encrypt user passwords at all if
that is his attitude.
ADDITIONAL INFORMATION
The information has been provided by <mailto:acd@weirdness.net> Andrew
Danforth.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Sygate Personal Firewall 5.0 IP Spoofing Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
