bug in OpenSSH (Still in FreeBSD-STABLE)

Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

"Felipe Neuwald" <felipe.neuwald (at) loreno.com (dot) br [email concealed]> writes: > felipe@worm felipe $ ssh -l root host > Password: > Password: > Password: > root@host's password: > Permission denied, please try again. > root@host's password: > Permission denied, please try again. > root@host's password: > Permission denied (publickey,password,keyboard-interactive). The first three prompts you see here are from PAM (working through keyboard-interactive authentication), and the last three from password authentication. You probably shouldn't have both enabled at the same time (though they are both enabled by default for historical reasons). This is not really relevant to you problem, though. > And now, trying login as root to the system, but typing the correct > password: > > felipe@worm felipe $ ssh -l root host > Password: > Connection to host closed by remote host. > Connection to host closed. This is an old bug in OpenSSH which has been fixed in more recent versions. > It's easy to make one little program to discover with bruteforce the > correct password of the root login. True, but it would be *very* slow, and it would fill the target system's logs with warnings from sshd. Brute-forcing a good N-character password takes about 60^N / 2 attempts on average. The effective limit on password length in FreeBSD, provided you use MD5 passwords (which is the default), is somewhere north of 500 characters (imposed by the PAM conversation API's 512-byte limit on prompts and responses) > But... why still FreeBSD-STABLE are running this version of OpenSSH? Because newer versions don't support Kerberos 4, and we don't want to de-support Kerberos 4 so late in the RELENG_4 branch's life cycle. FreeBSD 5, on the other hand, does not support Kerberos 4 (we dropped it a year ago almost to the day), and has OpenSSH 3.8p1. I have verified that it does not exhibit the bug you found in -STABLE. You could try to install OpenSSH 3.8 from ports, but I've had several reports of problems with DSA host keys when using the port. BTW, in the future, I would appreciate if you could raise issues such as this on the freebsd-security (at) freebsd (dot) org [email concealed] mailing list before taking them to BUGTRAQ. DES -- Dag-Erling Sm?rgrav - des (at) des (dot) no [email concealed]



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top