OpenSSH S/Key远程信息泄露漏洞

2007-04-25T00:00:00
ID SSV:1686
Type seebug
Reporter Root
Modified 2007-04-25T00:00:00

Description

OpenSSH是一款流行的加密安全shell应用实现。

在使用S/KEY的情况下OpenSSH存在信息泄露问题,远程攻击者可以利用漏洞获得系统帐户的敏感信息。

如果"ChallengeResponseAuthentication"设置为"Yes"(默认设置),SH允许用户通过使用'ssh userid:skey at hostname'形式的S/KEY登录,一般的SSH行为如:

=============================================================================== alucard $ ssh user at somewhere Permission denied (publickey,keyboard-interactive). ===============================================================================

你可以看到Passwordauthentication被禁用,现在测试ChallangeResponseAuthentication,如果它启用可以判断系统帐户是否存在:

=============================================================================== alucard $ ssh user:skey at somewhere otp-md5 99 some04578 S/Key Password:

alucard $

如果帐户不存在OpenSSH的应答不一样:

=============================================================================== alucard $ ssh testuser:skey at somewhere Permission denied (publickey,keyboard-interactive). ===============================================================================

由此可判断系统帐户是否存在并进行暴力攻击。

OpenBSD Portable OpenSSH 4.4.p1 OpenBSD Portable OpenSSH 4.3.p2 OpenBSD Portable OpenSSH 4.3.p1 OpenBSD Portable OpenSSH 4.2.p1 OpenBSD Portable OpenSSH 4.1.p1 OpenBSD Portable OpenSSH 4.0.p1 OpenBSD OpenSSH (FreeBSD Port) 2.9 p2 + FreeBSD FreeBSD 4.4 OpenBSD OpenSSH 3.8.1 p1 OpenBSD OpenSSH 3.0.2 p1 OpenBSD OpenSSH 3.0.2 OpenBSD OpenSSH 3.0.2 OpenBSD OpenSSH 3.0.1 p1 + Trustix Secure Linux 1.5 + Trustix Secure Linux 1.2 + Trustix Secure Linux 1.1 OpenBSD OpenSSH 3.0.1 + FreeBSD FreeBSD 4.4 + FreeBSD FreeBSD 4.3 - OpenBSD OpenBSD 2.9 - OpenBSD OpenBSD 2.8 - OpenBSD OpenBSD 2.7 - OpenBSD OpenBSD 2.6 OpenBSD OpenSSH 3.0 p1 OpenBSD OpenSSH 3.0 - OpenBSD OpenBSD 2.9 - OpenBSD OpenBSD 2.8 - OpenBSD OpenBSD 2.7 - OpenBSD OpenBSD 2.6 OpenBSD OpenSSH 2.9 p2 - Caldera OpenLinux Server 3.1 - Caldera OpenLinux Server 3.1 - Caldera OpenLinux Workstation 3.1 - Caldera OpenLinux Workstation 3.1 + HP Secure OS software for Linux 1.0 + HP Secure OS software for Linux 1.0 + RedHat Linux 7.2 i386 + RedHat Linux 7.2 i386 + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 alpha + RedHat Linux 7.1 alpha + RedHat Linux 7.0 i386 + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha + RedHat Linux 7.0 alpha OpenBSD OpenSSH 2.9 p1 - Caldera OpenLinux 2.4 - Debian Linux 2.2 - HP HP-UX 11.11 - IBM AIX 4.3.3 - MandrakeSoft Corporate Server 1.0.1 - MandrakeSoft Linux Mandrake 8.1 ia64 - MandrakeSoft Linux Mandrake 8.1 - MandrakeSoft Linux Mandrake 8.0 ppc - MandrakeSoft Linux Mandrake 8.0 - MandrakeSoft Linux Mandrake 7.2 - MandrakeSoft Linux Mandrake 7.1 - MandrakeSoft Single Network Firewall 7.2 - RedHat Linux 7.1 - RedHat Linux 7.0 - RedHat Linux 6.2 - S.u.S.E. Linux 7.1 - S.u.S.E. Linux 7.0 - SCO eDesktop 2.4 - SCO eServer 2.3.1 - SGI IRIX 6.5.9 - Sun Solaris 7.0 - Sun Solaris 2.6 - Sun Solaris 8 OpenBSD OpenSSH 2.9 + FreeBSD FreeBSD 4.4 + OpenBSD OpenBSD 2.9 OpenBSD OpenSSH 2.5.2 p2 + RedHat Linux 7.0 OpenBSD OpenSSH 2.5.2 OpenBSD OpenSSH 2.3.1 p1 OpenBSD OpenSSH 2.3.1 - OpenBSD OpenBSD 2.8 - OpenBSD OpenBSD 2.7 - OpenBSD OpenBSD 2.6 OpenBSD OpenSSH 2.2 .x + Conectiva Linux 6.0 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 + FreeBSD FreeBSD 5.0 + FreeBSD FreeBSD 4.2 + FreeBSD FreeBSD 4.1.1 + HP HP-UX 11.11 + MandrakeSoft Linux Mandrake 7.2 + MandrakeSoft Linux Mandrake 7.1 + MandrakeSoft Linux Mandrake 7.0 + NetBSD NetBSD 1.4.2 + OpenBSD OpenBSD 2.8 + OpenBSD OpenBSD 2.7 + RedHat Linux 7.0 + S.u.S.E. Linux 7.0 + Sun Solaris 8 + Trustix Trustix Secure Linux 1.1 + Trustix Trustix Secure Linux 1.0 OpenBSD OpenSSH 2.2 .0 OpenBSD OpenSSH 2.1.1 p1 + Trustix Secure Linux 1.5 + Trustix Secure Linux 1.2 + Trustix Secure Linux 1.1 OpenBSD OpenSSH 2.1.1 OpenBSD OpenSSH 2.1 .x OpenBSD OpenSSH 2.1 OpenBSD OpenSSH 1.2.3 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 OpenBSD OpenSSH 1.2 OpenBSD OpenSSH 1.0 .x OpenBSD OpenSSH 4.6 OpenBSD OpenSSH 4.5 OpenBSD OpenSSH 4.4 OpenBSD OpenSSH 4.3p1 OpenBSD OpenSSH 4.3 OpenBSD OpenSSH 4.2p1 OpenBSD OpenSSH 4.2 OpenBSD OpenSSH 4.1 OpenBSD OpenSSH 4.0 OpenBSD OpenSSH 3.9 p1

目前没有解决方案提供:

<a href="http://www.openssh.org/" target="_blank">http://www.openssh.org/</a>