101714 2003-05-16 22:37 /55 rader/ NetExpress <netexpress@tiscali.it>
Importerad: 2003-05-16 22:37 av Brevbäraren
Extern mottagare: Pen-Test@securityfocus.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4925>
Ärende: bsdbsdftpd-6.0-ssl-0.6.1-1 attack allows remote users identification
------------------------------------------------------------
Product bsbsdftpd-6.0-ssl-0.6.1-1 http://bsdftpd-ssl.sc.ru/
During a pen-test we have notice how is easy to identify valid users
on vulnerable systems, through a simple timing attack.
When I try to connect to ftp without ssl using a unreal user with bad
password I get
immediatly response of incorrect login, when I use real user with bad
password I get 2 second of wait before get message of incorrect login.
It seems to be very nice to the recent CAN-2003-0190 about OpenSSH/PAM
timing attack allows remote users identification
I have tested this on Linux RH 7.3 and RH 8.0
I belive the vulnerability is easy to exploit and may have high
severity, if combined with poor password policies and other security
problems that allow local privilege escalation.
Alessandro Fiorenzi
a.fiorenzi@infogroup.it aka netexpress
*------------------------------------------------------------------------
INFOGROUP S.P.A http://www.infogroup.it
-------------------------------------------------------------------------
DR. FIORENZI ALESSANDRO *
Consulente Tribunale Firenze - sicurezza informatica -
System Administrator
Socio CLUSIT <file:///home/fiore/signature/www.clusit.it>, ALSI
<file:///home/fiore/signature/www.alsi.it>
Tel : +39.055.43.65.742
CE : +39.335.64.144.77
@Email : a.fiorenzi@infogroup.it
PGP Key: http://www.infogroup.it/ds/fiorenzi.asc
/-------------------------------------------------------------------------
*"Faber est suae quisque fortunae" *
-------------------------------------------------------------------------/
//
(101714) /NetExpress <netexpress@tiscali.it>/(Ombruten)
Kommentar i text 101727 av Damian Gerow <damian@sentex.net>
101727 2003-05-17 08:03 /20 rader/ Damian Gerow <damian@sentex.net>
Importerad: 2003-05-17 08:03 av Brevbäraren
Extern mottagare: NetExpress <netexpress@tiscali.it>
Mottagare: Bugtraq (import) <4930>
Kommentar till text 101714 av NetExpress <netexpress@tiscali.it>
Ärende: Re: bsdbsdftpd-6.0-ssl-0.6.1-1 attack allows remote users identification
------------------------------------------------------------
Thus spake NetExpress (netexpress@tiscali.it) [16/05/03 16:42]:
> Product bsbsdftpd-6.0-ssl-0.6.1-1 http://bsdftpd-ssl.sc.ru/
>
> During a pen-test we have notice how is easy to identify valid users on
> vulnerable systems, through a simple timing attack.
>
> When I try to connect to ftp without ssl using a unreal user with bad
> password I get
> immediatly response of incorrect login, when I use real user with bad
> password I get 2 second of wait before get message of incorrect login.
>
> It seems to be very nice to the recent CAN-2003-0190 about OpenSSH/PAM
> timing attack allows remote users identification
>
> I have tested this on Linux RH 7.3 and RH 8.0
I just tried this out on a FreeBSD system (4.8-RC x2), and I get the
same response time. Are you sure this is directly related to the ftp
daemon, or is it a PAM issue?
(101727) /Damian Gerow <damian@sentex.net>/(Ombruten)
Bilaga (application/pgp-signature) i text 101728
Kommentar i text 101729 av NetExpress <netexpress@tiscali.it>
Kommentar i text 101735 av Mika =?iso-8859-15?Q?Bostr=F6m?= <bostik@lut.fi>
101728 2003-05-17 08:03 /8 rader/ Damian Gerow <damian@sentex.net>
Importerad: 2003-05-17 08:03 av Brevbäraren
Extern mottagare: NetExpress <netexpress@tiscali.it>
Mottagare: Bugtraq (import) <4931>
Bilaga (text/plain) till text 101727
Ärende: Bilaga till: Re: bsdbsdftpd-6.0-ssl-0.6.1-1 attack allows remote users identification
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE+xU4mFz2c9rhB8UIRAlV/AJwJM/R4i35yr6B4dGTbycjisqFbVQCfZqlX
H8lAz1mFvrPwWrLmFNIujAg=
=dZm2
-----END PGP SIGNATURE-----
(101728) /Damian Gerow <damian@sentex.net>/---------
101729 2003-05-17 08:45 /42 rader/ NetExpress <netexpress@tiscali.it>
Importerad: 2003-05-17 08:45 av Brevbäraren
Extern mottagare: Damian Gerow <damian@sentex.net>
Mottagare: Bugtraq (import) <4932>
Kommentar till text 101727 av Damian Gerow <damian@sentex.net>
Ärende: Re: bsdbsdftpd-6.0-ssl-0.6.1-1 attack allows remote users identification
------------------------------------------------------------
Damian Gerow wrote:
>Thus spake NetExpress (netexpress@tiscali.it) [16/05/03 16:42]:
>
>
>>Product bsbsdftpd-6.0-ssl-0.6.1-1 http://bsdftpd-ssl.sc.ru/
>>
>>During a pen-test we have notice how is easy to identify valid users on
>>vulnerable systems, through a simple timing attack.
>>
>>When I try to connect to ftp without ssl using a unreal user with bad
>>password I get
>>immediatly response of incorrect login, when I use real user with bad
>>password I get 2 second of wait before get message of incorrect login.
>>
>>It seems to be very nice to the recent CAN-2003-0190 about OpenSSH/PAM
>>timing attack allows remote users identification
>>
>>I have tested this on Linux RH 7.3 and RH 8.0
>>
>>
>
>I just tried this out on a FreeBSD system (4.8-RC x2), and I get the same
>response time. Are you sure this is directly related to the ftp daemon, or
>is it a PAM issue?
>
>
You are right, is the same preoblem has affected OpenSSH/PAM timing
attack about which Marco Ivald from MediaService has post the bug and
the solution.
I have been in touch with Marco Ivaldi, he has found that is the
same kind of problem, an the same soltion, but is not really goot to
get this problem on the default installation . I mailed to the
author but I get no response
For the solution follow the same present on
http://lab.mediaservice.net/advisory/2003-01-openssh.txt
Alessandro Fiorenzi
(101729) /NetExpress <netexpress@tiscali.it>/(Ombruten)
101735 2003-05-17 20:21 /36 rader/ Mika =?iso-8859-15?Q?Bostr=F6m?= <bostik@lut.fi>
Importerad: 2003-05-17 20:21 av Brevbäraren
Extern mottagare: NetExpress <netexpress@tiscali.it>
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bostik@lut.fi
Mottagare: Bugtraq (import) <4936>
Kommentar till text 101727 av Damian Gerow <damian@sentex.net>
Ärende: Re: bsdbsdftpd-6.0-ssl-0.6.1-1 attack allows remote users identification
------------------------------------------------------------
On Fri, 16 May 2003, Damian Gerow wrote:
> Thus spake NetExpress (netexpress@tiscali.it) [16/05/03 16:42]:
> > Product bsbsdftpd-6.0-ssl-0.6.1-1 http://bsdftpd-ssl.sc.ru/
> >
> > During a pen-test we have notice how is easy to identify valid users on
> > vulnerable systems, through a simple timing attack.
> >
> > When I try to connect to ftp without ssl using a unreal user with bad
> > password I get
> > immediatly response of incorrect login, when I use real user with bad
> > password I get 2 second of wait before get message of incorrect login.
> >
> > It seems to be very nice to the recent CAN-2003-0190 about OpenSSH/PAM
> > timing attack allows remote users identification
> >
> > I have tested this on Linux RH 7.3 and RH 8.0
>
> I just tried this out on a FreeBSD system (4.8-RC x2), and I get the same
> response time. Are you sure this is directly related to the ftp daemon, or
> is it a PAM issue?
Looking back two weeks in BugTraq archives, I see the following
posting:
http://www.securityfocus.com/archive/1/320270/2003-04-30/2003-05-06/0
This suggests that many more programs are similarly vulnerable,
because they take shortcuts. After all, it is quite common and
generally even good practise to skip redundant code paths. The
flipside of the coin is that it may allow these kind of timing
attacks.
--
Mika Boström +358-50-410-9042 \-/ "The Hell is empty,
Bostik@lut.fi www.lut.fi/~bostik X and all the devils
Security freak, and proud of it. /-\ are here." -W.S.
(101735) /Mika =?iso-8859-15?Q?Bostr=F6m?= <bostik@lut.fi>/(Ombruten)
Bilaga (application/pgp-signature) i text 101736
101736 2003-05-17 20:21 /8 rader/ Mika =?iso-8859-15?Q?Bostr=F6m?= <bostik@lut.fi>
Importerad: 2003-05-17 20:21 av Brevbäraren
Extern mottagare: NetExpress <netexpress@tiscali.it>
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bostik@lut.fi
Mottagare: Bugtraq (import) <4937>
Bilaga (text/plain) till text 101735
Ärende: Bilaga till: Re: bsdbsdftpd-6.0-ssl-0.6.1-1 attack allows remote users identification
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+xddmi98XLjzCR9MRAs7XAJ9fz58VyXdVGww6UUtIQ2frEYKKDQCgtpp/
v1LdWZIoD2Cu/uUyesGoiR0=
=yxnt
-----END PGP SIGNATURE-----
(101736) /Mika =?iso-8859-15?Q?Bostr=F6m?= <bostik@lut.fi>/