<<< Date Index >>>     <<< Thread Index >>>

Re: AIX password enumeration possible



Scott J wrote:
[snippage]
Abstract:           Remote password enumeration possible for
                    accounts not permitted direct login in AIX
Affected Systems:   AIX 4.3.3 and AIX 5.1, likely other levels of AIX
[...]
Known Vulnerable:

AIX 4.3.3 maintenance level 10 applied - assume all levels of AIX 4.3.3
AIX 5.1 maintenance level 4 applied - assume all levels of AIX 5.1
[...]
Access methods tested and verified:
[...]
ssh ( OpenSSH - no commercial SSH variant tested )

++ Note: OpenSSH version most recently tested was the prepackaged version for AIX 5.1 currently available (as of Feb. 2004) on DeveloperWorks at: http://oss.software.ibm.com/developerworks/projects/opensshi It's not known for certain if this weakness would exist for an in-house compiled version of Portable OpenSSH on AIX but as the weakness is believed to be in the response from the login program after authentication has taken place, it would also likely be affected. Also, it makes no difference if sshd is configured to allow or disallow root login via the PermitRootLogin option.

Could you please elaborate how you were able to cause this behaviour
with OpenSSH's sshd? (ssh -vvv and matching sshd -ddd would be very helpful, feel free to send those to me directly or post to the OpenSSH devel list: openssh-unix-dev at mindrot.org.)

An account with rlogin=false will cause the loginrestrictions test (in
getpwnamallow() in auth.c) to fail.  The remainder of the
authentications will consider the user "illegal" but should not give any
external indication of this.  You will see "3004-306 Remote logins are
not allowed for this account" on the server side if you have debugging
enabled, but this is (well, should) not sent to the user.

I tested "openssh361p2_51_patch.tar.Z" from the IBM site on 5.1 ML4 and was not able to reproduce the described behaviour with the default config. The only way I could cause it was with the root account with PermitRootLogin=yes and UseLogin=yes. PermitRootLogin=no prevented it, and UseLogin is not on by default (at least in the vanilla OpenSSH distribution).

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.