Debian Bug report logs - #281595
timing attack allows attacker to determine valid usernames

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: timing attack allows attacker to determine valid usernames

Date: Tue, 16 Nov 2004 15:11:07 -0500

[Message part 1 (text/plain, inline)]

Package: ssh
Version: 1:3.8.1p1-8.sarge.2
Severity: serious
Tags: security

CAN-2003-0190 describes a flaw in ssh's password prompt timing which
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message:
http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2

Feel free to downgrade this bug if you don't feel it's a real security
problem or not RC. I assume upstream must not, since the problem has not
been fixed in over a year. Of course, upstream problably doesn't use ssh
in the vulnerable configuration, with pam.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 281595@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org

Cc: Darren Tucker <dtucker@zip.com.au>

Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

Date: Fri, 19 Nov 2004 13:45:33 +0000

On Tue, Nov 16, 2004 at 03:11:07PM -0500, Joey Hess wrote:
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.2
> Severity: serious
> Tags: security
> 
> CAN-2003-0190 describes a flaw in ssh's password prompt timing which
> makes it easy for an attacker to determine if a username exists on a
> machine. I've checked and testing and unstable's versions of ssh are
> vulnerable. Details and some fixes are in this message:
> http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2
> 
> Feel free to downgrade this bug if you don't feel it's a real security
> problem or not RC. I assume upstream must not, since the problem has not
> been fixed in over a year. Of course, upstream problably doesn't use ssh
> in the vulnerable configuration, with pam.

I think it's been somewhat fixed upstream (where upstream == portable),
actually:

20040530
 [...]
 - (dtucker) [auth-pam.c] Use an invalid password for root if
   PermitRootLogin != yes or the login is invalid, to prevent leaking
   information.  Based on Openwall's owl-always-auth patch.  ok djm@

However, that's only PAM password authentication, and
keyboard-interactive is relevant too. Darren, do you happen to know if
kbdint has been fixed in the same way in 3.9p1? I don't see anything
obvious in CVS.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #15 received at 281595@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: Colin Watson <cjwatson@debian.org>

Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org

Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

Date: Sat, 20 Nov 2004 13:51:55 +1100

[Message part 1 (text/plain, inline)]

Colin Watson wrote:
> 20040530
>  [...]
>  - (dtucker) [auth-pam.c] Use an invalid password for root if
>    PermitRootLogin != yes or the login is invalid, to prevent leaking
>    information.  Based on Openwall's owl-always-auth patch.  ok djm@
> 
> However, that's only PAM password authentication, and
> keyboard-interactive is relevant too. Darren, do you happen to know if
> kbdint has been fixed in the same way in 3.9p1? I don't see anything
> obvious in CVS.

No, it's not fixed in 3.9p1.

The problem is not exactly the same, though.  In this case, it's partly 
because the keyboard-interactive code doesn't call the kbdint driver at 
all in this case.  The first attached patch ought to fix that.

With that fixed, a change to the PAM code is required because it will 
complete for a real user with their real password if, eg they are listed 
in DenyUsers.  This will result in the PAM code getting out of sync with 
the kbdint code, resulting in the authentication hanging.  The second 
patch ought to fix that.

I haven't done much testing of either patch, so please let me know how 
they go.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[openbsd-sshd-kbdint-leak.patch (text/plain, inline)]

Index: auth2-chall.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
retrieving revision 1.21
diff -u -p -r1.21 auth2-chall.c
--- auth2-chall.c	1 Jun 2004 14:20:45 -0000	1.21
+++ auth2-chall.c	6 Jul 2004 12:13:10 -0000
@@ -268,12 +268,9 @@ input_userauth_info_response(int type, u
 	}
 	packet_check_eom();
 
-	if (authctxt->valid) {
-		res = kbdintctxt->device->respond(kbdintctxt->ctxt,
-		    nresp, response);
-	} else {
-		res = -1;
-	}
+	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
+	if (!authctxt->valid)
+		res = 1;	/* keep going if login invalid */
 
 	for (i = 0; i < nresp; i++) {
 		memset(response[i], 'r', strlen(response[i]));
@@ -285,7 +282,7 @@ input_userauth_info_response(int type, u
 	switch (res) {
 	case 0:
 		/* Success! */
-		authenticated = 1;
+		authenticated = authctxt->valid ? 1 : 0;
 		break;
 	case 1:
 		/* Authentication needs further interaction */

[openssh-pam-kbdint-leak.patch (text/plain, inline)]

Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.118
diff -u -p -r1.118 auth-pam.c
--- auth-pam.c	16 Oct 2004 08:52:44 -0000	1.118
+++ auth-pam.c	20 Nov 2004 02:40:58 -0000
@@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
 static const char *sshpam_password = NULL;
+static char badpw[] = "\b\n\r\177INCORRECT";
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -746,7 +747,10 @@ sshpam_respond(void *ctx, u_int num, cha
 		return (-1);
 	}
 	buffer_init(&buffer);
-	buffer_put_cstring(&buffer, *resp);
+	if (sshpam_authctxt->valid)
+		buffer_put_cstring(&buffer, *resp);
+	else
+		buffer_put_cstring(&buffer, badpw);
 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
 		buffer_free(&buffer);
 		return (-1);
@@ -1093,7 +1097,6 @@ sshpam_auth_passwd(Authctxt *authctxt, c
 {
 	int flags = (options.permit_empty_passwd == 0 ?
 	    PAM_DISALLOW_NULL_AUTHTOK : 0);
-	static char badpw[] = "\b\n\r\177INCORRECT";
 
 	if (!options.use_pam || sshpam_handle == NULL)
 		fatal("PAM: %s called when PAM disabled or failed to "

Message #20 received at 281595@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Darren Tucker <dtucker@zip.com.au>

Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org

Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

Date: Sat, 27 Nov 2004 17:26:50 +0000

[Message part 1 (text/plain, inline)]

On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
> 
> The problem is not exactly the same, though.  In this case, it's partly 
> because the keyboard-interactive code doesn't call the kbdint driver at 
> all in this case.  The first attached patch ought to fix that.
> 
> With that fixed, a change to the PAM code is required because it will 
> complete for a real user with their real password if, eg they are listed 
> in DenyUsers.  This will result in the PAM code getting out of sync with 
> the kbdint code, resulting in the authentication hanging.  The second 
> patch ought to fix that.
> 
> I haven't done much testing of either patch, so please let me know how 
> they go.

Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthentication; the patch is attached. It seems to work for me.
After a bit more testing I'll upload this to unstable.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

[openssh-kbdint-authfix.patch (text/plain, attachment)]

Message #25 received at 281595@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Darren Tucker <dtucker@zip.com.au>

Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org, 248747@bugs.debian.org

Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

Date: Sun, 28 Nov 2004 12:37:11 +0000

On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> > No, it's not fixed in 3.9p1.
> > 
> > The problem is not exactly the same, though.  In this case, it's partly 
> > because the keyboard-interactive code doesn't call the kbdint driver at 
> > all in this case.  The first attached patch ought to fix that.
> > 
> > With that fixed, a change to the PAM code is required because it will 
> > complete for a real user with their real password if, eg they are listed 
> > in DenyUsers.  This will result in the PAM code getting out of sync with 
> > the kbdint code, resulting in the authentication hanging.  The second 
> > patch ought to fix that.
> > 
> > I haven't done much testing of either patch, so please let me know how 
> > they go.
> 
> Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> PasswordAuthentication; the patch is attached. It seems to work for me.
> After a bit more testing I'll upload this to unstable.

Here's a further patch on top of your openssh-pam-kbdint-leak.patch
which makes sure that attempted root logins when PermitRootLogin is not
set to yes always have the same delay (Debian bug #248747). It's the
same as you did for PAM PasswordAuthentication.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #30 received at 281595@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Darren Tucker <dtucker@zip.com.au>

Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org, 248747@bugs.debian.org

Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

Date: Sun, 28 Nov 2004 12:52:14 +0000

[Message part 1 (text/plain, inline)]

On Sun, Nov 28, 2004 at 12:37:11PM +0000, Colin Watson wrote:
> On Sat, Nov 27, 2004 at 05:26:50PM +0000, Colin Watson wrote:
> > Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
> > PasswordAuthentication; the patch is attached. It seems to work for me.
> > After a bit more testing I'll upload this to unstable.
> 
> Here's a further patch on top of your openssh-pam-kbdint-leak.patch
> which makes sure that attempted root logins when PermitRootLogin is not
> set to yes always have the same delay (Debian bug #248747). It's the
> same as you did for PAM PasswordAuthentication.

... how about I actually attach it?

-- 
Colin Watson                                       [cjwatson@debian.org]

[openssh-root-delay.patch (text/plain, attachment)]

Message #35 received at 281595-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 281595-close@bugs.debian.org

Subject: Bug#281595: fixed in openssh 1:3.8.1p1-8.sarge.4

Date: Sun, 28 Nov 2004 09:32:17 -0500

Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh_3.8.1p1-8.sarge.4.diff.gz
  to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.diff.gz
openssh_3.8.1p1-8.sarge.4.dsc
  to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.dsc
ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
ssh_3.8.1p1-8.sarge.4_powerpc.deb
  to pool/main/o/openssh/ssh_3.8.1p1-8.sarge.4_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 281595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 28 Nov 2004 12:37:16 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes: 
 openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high
 .
   * Fix timing information leak allowing discovery of invalid usernames in
     PAM keyboard-interactive authentication (backported from a patch by
     Darren Tucker; closes: #281595).
   * Make sure that there's a delay in PAM keyboard-interactive
     authentication when PermitRootLogin is not set to yes and the correct
     root password is entered (closes: #248747).
Files: 
 8ad7931d85460ac1f9a2971e708d1d65 906 net standard openssh_3.8.1p1-8.sarge.4.dsc
 187b8455948c188c97c3bfba92120e51 155885 net standard openssh_3.8.1p1-8.sarge.4.diff.gz
 ef7b58119f1f6d1bc0efd10412df2235 737276 net standard ssh_3.8.1p1-8.sarge.4_powerpc.deb
 70e71d02d5370a22da119f47b492a4dc 52728 gnome optional ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
 cb5fd04403ea907c8be066b620ed906a 151080 debian-installer optional openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
 9cd11fbcd1bcf3e2c06b78721a727dea 160092 debian-installer optional openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFBqcvH9t0zAhD6TNERAv1CAJ9n9yy/P8zhf4kp7WoY99Rfuo9osgCdFneL
0RmN8Hcxkw5sO8WJ0u8AJ40=
=zOT0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.