Re: yet another OpenSSH timing leak?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: yet another OpenSSH timing leak?
From: Gianluca Varisco <giangy@xxxxxxxxxxxxxx>
Date: Tue, 10 Oct 2006 00:41:25 +0200
Cc: Marco Ivaldi <raptor@xxxxxxxxxxxxxxx>
In-reply-to: <Pine.BSO.4.63.0609301537050.27887@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: TechTemple Research Lab
References: <Pine.BSO.4.63.0609301537050.27887@xxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (X11/20060909)

Marco Ivaldi wrote:

It needs expect, and target ssh hostkey must be already added. I'd bevery interested in knowing the results of tests performed on otherdistros and configurations.


Hi Marco,

nice to meet you :-). I tried to do this test over my 10 Mbps lan andthis is the result:


giangy@thor:~/dev$ ./sshtime calipso users.txt

a@calipso                       real 9.55
root@calipso                    real 9.33 <- valid user with shell
wheel@calipso                   real 10.44
giangy@calipso                  real 9.49
cdrom@calipso                   real 9.68
burning@calipso                 real 9.47
mysql@calipso                   real 9.35
operator@calipso                real 9.59 <- valid user with shell
test@calipso                    real 9.51 <- valid user with shell

Another test:

a@calipso                  real 9.37
root@calipso               real 9.90 <- valid user with shell
wheel@calipso              real 10.66
giangy@calipso             real 9.41
cdrom@calipso              real 9.30
burning@calipso            real 10.30
mysql@calipso              real 9.47
operator@calipso           real 10.21 <- valid user with shell
test@calipso               real 10.98 <- valid user with shell
daemon@calipso             real 7.14
abcd@calipso               real 7.20

"root", "operator" and "test" are valid users with a valid shellenabled. I made this test on Slackware 11.0 (fresh installation) withOpenSSH_4.4p1. I used the default sshd_config (seehttp://slackware.osuosl.org/slackware-current/source/n/openssh/ for moreinformations about the package). So, I don't received any timing leak inthis session.

I'll try as possible other distributions and configurations. However,good work Marco :-).


Best Regards,

Gianluca Varisco

References:
- yet another OpenSSH timing leak?
  - From: Marco Ivaldi

Prev by Date: MHL-2006-001 Public Advisory: "Eazy Cart" Multiple Security Issues
Next by Date: [security bulletin] HPSBUX02087 SSRT4728 rev.4 - HP-UX running TCP/IP Remote Denial of Service (DoS)
Previous by thread: yet another OpenSSH timing leak?
Next by thread: Re: yet another OpenSSH timing leak?
Index(es):
- Date
- Thread