BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)

From: Felipe Neuwald (felipe.neuwald_at_loreno.com.br)
Date: 04/12/04

Next message: IO ERROR: "Citadel/UX 6.20 fixes local permissions vulnerability"

Previous message: Janek Vind: "[waraxe-2004-SA#017 - User-level authentication bypass in phpnuke 6.x-7.2]"
Next in thread: Damien Miller: "Re: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)"
Reply: Damien Miller: "Re: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Mon, 12 Apr 2004 09:07:51 -0300

Hello Folks,

I tested only versions OpenSSH_3.5p1 (FreeBSD-STABLE), but it also work
on other versions, as published May 01, 2003.
Ok, let's talk about it. First, the /etc/ssh/sshd_config file:
<cut>
PermitRootLogin no
<cut>
As you can see above, is not allowed to root login on that system. Fine.
Now, trying login as root to the system, and type the wrong password:

felipe@worm felipe $ ssh -l root host
Password:
Password:
Password:
root@host's password:
Permission denied, please try again.
root@host's password:
Permission denied, please try again.
root@host's password:
Permission denied (publickey,password,keyboard-interactive).

And now, trying login as root to the system, but typing the correct
password:

felipe@worm felipe $ ssh -l root host
Password:
Connection to host closed by remote host.
Connection to host closed.

It's easy to make one little program to discover with bruteforce the
correct password of the root login. If the attacker have physical access
to the system, it's very easy own the system.
But... why still FreeBSD-STABLE are running this version of OpenSSH?

-- 
Felipe Neuwald
felipe.neuwald@loreno.com.br
+55 61 3038-5038
+55 61 9557-6870
------
Chave pública PGP / PGP public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE508F3

application/pgp-signature attachment: Esta Q?= uma parte de mensagem assinada digitalmente

Next message: IO ERROR: "Citadel/UX 6.20 fixes local permissions vulnerability"

Previous message: Janek Vind: "[waraxe-2004-SA#017 - User-level authentication bypass in phpnuke 6.x-7.2]"
Next in thread: Damien Miller: "Re: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)"
Reply: Damien Miller: "Re: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

User Mode Linux = Network Problem
... For UML, root filesystem is Debian 3.0, ip adress 192.168.1.101, ... On the host: ... Initializing software serial port version 1 ... Configuring network interfaces: done. ...
(comp.os.linux.networking)
User Mode Linux = Network Failed !
... For UML, root filesystem is Debian 3.0, ip adress 192.168.1.101, ... On the host: ... Initializing software serial port version 1 ... Configuring network interfaces: done. ...
(comp.os.linux.development.system)
Re: Anglo-Saxon Plant-Name Survey
... find a host they quickly die; if they do find a host ... Whether they used the 'root' may be a matter of definition: ... See e.g. this real Broomrape http://tinyurl.com/ndooo ... how about the ground seeds and we are ...
(soc.history.medieval)
RE: Cant reboot after update
... Kernel panic-not syncing: VFS: unable to mount root fs on ... server in our server room just after I started a normal reboot, ... etch host running on a Dell PowerEdge 2450 server. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
(Debian-User)
Exim4 behaviour when long term failure of outgoing address
... I am using Debian Squeeze on a virtual machine that I lease. ... It has exim4 version as its mail server. ... retry time not reached for any host after a long failure period ... Because there are no particular e-mail accounts on this machine, I have an /etc/aliases file which aliases all the standard addresses to root and then aliases root to one of my normal e-mail addresses. ...
(Debian-User)