|
Message-ID: <b175ea89-96b7-8645-4d82-1d8be96fc78e@securitum.pl> Date: Thu, 23 Aug 2018 09:50:08 +0200 From: Dariusz Tytko <dariusz.tytko@...uritum.pl> To: oss-security@...ts.openwall.com Subject: Re: OpenSSH Username Enumeration Hi, We have published our writeup https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/, hope it helps to better understanding the problem. Best regards, Dariusz Tytko W dniu 17.08.2018 o 20:31, Salvatore Bonaccorso pisze: > Hi, > > On Wed, Aug 15, 2018 at 09:05:58AM -0700, Qualys Security Advisory wrote: >> Hi all, >> >> We sent the following email to openssh@...nssh.com and >> distros@...openwall.org about an hour ago, and it was decided that we >> should send it to oss-security@...ts.openwall.com right away (as far as >> we know, no CVE has been assigned to this issue yet): >> >> ======================================================================== >> >> While reviewing the latest OpenSSH commits, we stumbled across: >> >> https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 >> >> Date: Tue Jul 31 03:10:27 2018 +0000 >> delay bailout for invalid authenticating user until after the packet >> containing the request has been fully parsed. Reported by Dariusz Tytko >> and Michal Sajdak; ok deraadt >> >> We realized that without this patch, a remote attacker can easily test >> whether a certain user exists or not (username enumeration) on a target >> OpenSSH server: >> >> 87 static int >> 88 userauth_pubkey(struct ssh *ssh) >> 89 { >> ... >> 101 if (!authctxt->valid) { >> 102 debug2("%s: disabled because of invalid user", __func__); >> 103 return 0; >> 104 } >> 105 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || >> 106 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || >> 107 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) >> 108 fatal("%s: parse request failed: %s", __func__, ssh_err(r)); >> >> The attacker can try to authenticate a user with a malformed packet (for >> example, a truncated packet), and: >> >> - if the user is invalid (it does not exist), then userauth_pubkey() >> returns immediately, and the server sends an SSH2_MSG_USERAUTH_FAILURE >> to the attacker; >> >> - if the user is valid (it exists), then sshpkt_get_u8() fails, and the >> server calls fatal() and closes its connection to the attacker. >> >> We believe that this issue warrants a CVE; it affects all operating >> systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, >> released in November 2000), and is easier to exploit than previous >> OpenSSH username enumerations (which were all timing attacks): >> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210 > This new issue got assigned CVE-2018-15473 by MITRE. > > Regards, > Salvatore -- Dariusz Tytko securitum.pl - bezpieczeństwo systemów IT. sekurak.pl - piszemy o bezpieczeństwie.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.