linux, säkerhet

7485558 2001-11-11 18:29 -0700  /66 rader/ Joel Maslak <jmaslak@antelope.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-13  04:51  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19730>
Ärende: OpenSSH & S/Key information leakage
------------------------------------------------------------
From: Joel Maslak <jmaslak@antelope.net>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0111111810040.9341-100000@bigsky.antelope.net>

FIRST: Neither of these information leakage issues is a security bug
in itself.  Both S/Key and OpenSSH are secure even with this issue.
However, this information leakage may assist a hostile attacker.

General S/Key Information Leakage:

As is commonly known, the S/Key (and OPIE) one-time password system will
send the user a challenge string.  This string is provided after the
username is entered.  The string looks like:
	otp-md5 98 indi26401

This string will tell you several things:

1)  What hash algorithm is being used (in this case, md5).  Because
some hash algorithms are weaker then others, this will help an
attacker determine which accounts to attempt to attack.

2)  The "indi26401" is a "seed" value.  If this seed changes, then it
is clear that the user has changed the passphrase that S/Key uses to
generate  one time passwords.

3)  The "98" indicates that S/Key is expecting password #98.  By
watching this number, it is possible to determine a user's login
frequency.  By watching it at different times in the day, the user's
habits can be determined.  Note that in an S/Key enabled system, "su"
also uses S/Key passwords for root, which helps an attacker know when
the system administrators are maintaining the system (and when they
are on vacation...).

OpenSSH & S/Key Implementation Problems

There are some bad implementations of S/Key in client programs.
OpenSSH (at least on OpenBSD 2.9) is one such bad implementation.
OpenSSH only provides this challenge string if (1) the user exists
and (2) the user is using one-time-passwords.  Otherwise, it simply
asks for a password (or "hangs up" on the remote client if reusable
passwords are not allowed).  Obviously, in an environment where
one-time-passwords are required, provides an easy way of finding out
usernames.

FIXES:

- If S/Key passwords are used at all, "fake" challenge strings should
be printed whenever a real challenge string is not available.  OPIE
does this right.

- Unfortunately, much of the information leakage can not be helped.
It would be trivial to prevent display of the hash algorithm used,
but that would provide very little security - the real threat is the
sequence number, as it lets an attacker profile a system.  The
sequence number is required as it is used when precomputed password
lists are used.

- OpenSSH and other programs often monitor failed logins.  Reviewing
your logs will alert you to this type of activity.  However, once
alerted, your options are very limited - either disconnect your
system from the network or allow yourself to continue to be probed!
(you might block offenders' IP addresses, but that will be difficult
as offenders usually have a large number of IPs to come from)

-- 
Joel Maslak
(7485558) /Joel Maslak <jmaslak@antelope.net>/(Ombruten)
Kommentar i text 7488779 av Markus Friedl <markus@openbsd.org>
7488779 2001-11-13 13:00 +0100  /21 rader/ Markus Friedl <markus@openbsd.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-13  14:57  av Brevbäraren
Extern mottagare: Joel Maslak <jmaslak@antelope.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19738>
Kommentar till text 7485558 av Joel Maslak <jmaslak@antelope.net>
Ärende: Re: OpenSSH & S/Key information leakage
------------------------------------------------------------
From: Markus Friedl <markus@openbsd.org>
To: Joel Maslak <jmaslak@antelope.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20011113130004.A24212@faui02.informatik.uni-erlangen.de>

On Sun, Nov 11, 2001 at 06:29:38PM -0700, Joel Maslak wrote:
> There are some bad implementations of S/Key in client programs.  OpenSSH
> (at least on OpenBSD 2.9) is one such bad implementation.  OpenSSH only
> provides this challenge string if (1) the user exists and (2) the user is
> using one-time-passwords.

This depends very much on the version of the OpenSSH and the versions
of your skey library. OpenSSH switched away from creating fake skey
challenges, and now depends on the skey/otp/bsdauth/whatever-library
to created fake challenges. With BSD_AUTH it even depends on the
authentication algorithms available in the default class.

With a post-Nov 2000 OpenBSD, skeychallenge() creates fake challenges,
so OpenSSH does not need to care.
(7488779) /Markus Friedl <markus@openbsd.org>/(Ombruten)
7507654 2001-11-15 17:12 -0500  /53 rader/ Alan J Rosenthal <flaps@dgp.toronto.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-16  02:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19776>
Ärende: Re: OpenSSH & S/Key information leakage
------------------------------------------------------------
From: flaps@dgp.toronto.edu (Alan J Rosenthal)
To: bugtraq@securityfocus.com
Message-ID: <20011115221226.7C93E186B0@atlas.dgp.toronto.edu>

These observations of information leakage are cute, and while some of
them might be fixable, I'm not sure that most of them are, which is
dismaying.  If OPIE didn't tell you the password number, for example,
it would be quite hard to use.

Anyway, I was expecting to see the following in that list.  OPIE will
tell you whether or not a given account exists.  This is a disclosure
we often take pains to avoid on the internet these days; we expect
the same error message for 'no such account' and 'bad password'.

A login prompt for a non-account looks like this:

	login: flomp
	otp-md5 175 at2078 ext
	Response: 

So far, so good.  But press return once or twice to get "Login
incorrect" (or make a new conection), and then do

	login: flomp
	otp-md5 220 at0624 ext
	Response: 

Either the user just set a new passphrase in this one-second
interval, or "flomp" does not exist.

Compare:

	login: flaps
	otp-md5 796 qz1234 ext
	Response: 
	Response: 
	Login incorrect
	login: flaps
	otp-md5 796 qz1234 ext
	Response: 
	Response:

Always 796 qz1234 (until I next log in using OPIE and/or re-set my
passphrase).

Joel Maslak <jmaslak@antelope.net> writes:
>- If S/Key passwords are used at all, "fake" challenge strings should be
>printed whenever a real challenge string is not available.  OPIE does this
>right.

I claim that what OPIE does is inadequate, but I don't have a solution
(thus this is not a criticism of OPIE).
(7507654) /Alan J Rosenthal <flaps@dgp.toronto.edu>/(Ombruten)