Re: AIX password enumeration possible

To: Scott J <mrbinary@xxxxxxxxx>
Subject: Re: AIX password enumeration possible
From: Darren Tucker <dtucker@xxxxxxxxxx>
Date: Tue, 17 Feb 2004 23:37:50 +1100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040206115118.31984.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040206115118.31984.qmail@xxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Scott J wrote:
[snippage]

Abstract:           Remote password enumeration possible for
                    accounts not permitted direct login in AIX
Affected Systems:   AIX 4.3.3 and AIX 5.1, likely other levels of AIX

[...]

Known Vulnerable:

AIX 4.3.3 maintenance level 10 applied - assume all levels of AIX 4.3.3
AIX 5.1 maintenance level 4 applied - assume all levels of AIX 5.1

[...]

Access methods tested and verified:

[...]

ssh ( OpenSSH - no commercial SSH variant tested )
++ Note: OpenSSH version most recently tested was the prepackaged versionfor AIX 5.1 currently available (as of Feb. 2004) on DeveloperWorks at:http://oss.software.ibm.com/developerworks/projects/opensshiIt's not known for certain if this weakness would exist for an in-housecompiled version of Portable OpenSSH on AIX but as the weakness isbelieved to be in the response from the login program after authenticationhas taken place, it would also likely be affected. Also, it makes nodifference if sshd is configured to allow or disallow root login viathe PermitRootLogin option.


Could you please elaborate how you were able to cause this behaviour

with OpenSSH's sshd? (ssh -vvv and matching sshd -ddd would be veryhelpful, feel free to send those to me directly or post to the OpenSSHdevel list: openssh-unix-dev at mindrot.org.)


An account with rlogin=false will cause the loginrestrictions test (in
getpwnamallow() in auth.c) to fail.  The remainder of the
authentications will consider the user "illegal" but should not give any
external indication of this.  You will see "3004-306 Remote logins are
not allowed for this account" on the server side if you have debugging
enabled, but this is (well, should) not sent to the user.

I tested "openssh361p2_51_patch.tar.Z" from the IBM site on 5.1 ML4 andwas not able to reproduce the described behaviour with the defaultconfig. The only way I could cause it was with the root account withPermitRootLogin=yes and UseLogin=yes. PermitRootLogin=no prevented it,and UseLogin is not on by default (at least in the vanilla OpenSSHdistribution).


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

References:
- AIX password enumeration possible
  - From: Scott J

Prev by Date: Re: [Full-Disclosure] ASN.1 telephony critical infrastructure warning - VOIP
Next by Date: ZH2004-07SA (security advisory): Multiple Sql injection vulnerabilities in Online Store Kit 3.0 Products (Lite - Standard and Pro)
Previous by thread: Re: AIX password enumeration possible
Next by thread: RE: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Interne t Explorer
Index(es):
- Date
- Thread