OpenSSH - System Account Enumeration if S/Key is used

2007-04-27 / 2012-03-12
Credit: Rembrandt
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Author : Rembrandt Date : 2007-04-21 Affected Software: openssh (propably other implementations as well) Affected OS : any Type : Information Disclosure OSVDB : 34600 CVE : 2007-2243 ISS X-Force: : 33794 BID : 23601 OpenSSH, when configured to use S/KEY authentication, is prone to a remote information disclosure weakness. The issue occurs due to the S/KEY challenge/response system being used for valid accounts. If a remote attacker systematically attempsauthentication against a list of usernames, he can watch the response to determine which accounts are valid. If "ChallengeResponseAuthentication" is set to "Yes", which is the default setting, OpenSSH allows the user to login by using S/KEY in the form of 'ssh userid:skey at hostname'. Steps to reproduce: $ ssh user@somewhere Permission denied (publickey,keyboard-interactive). $ ssh user:skey@somewhere otp-md5 99 some04578 S/Key Password: $ If the useraccount exist but is not configured to use S/KEY or if the useraccount does not exist at the specific system the response looks normal. $ ssh testuser:skey@somewhere Permission denied (publickey,keyboard-interactive). As you can see clearly OpenSSH discloses the existence of system accounts. Kind regards, Rembrandt

References:

http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top