[Gllug] SSH is Not Secure!
Mike Brodbelt
mike at coruscant.demon.co.uk
Tue Jul 24 23:42:36 UTC 2001
Nix wrote:
>
> On Tue, 24 Jul 2001, Tom Gilbert yowled:
> > * Nix (nix at esperi.demon.co.uk) wrote:
> >> It's the crypted form that the problem arises with, so this means that
> >> starred-out accounts are vulnerable.
> >
> > That doesn't make sense to me - the bug is in the decrytping of the
> > password and the existance of the salt characters - the * in a starred
> > out account takes no part in the decryption process, it's there
> > uncrypted - and the check for a *'d out account is done before any
> > crypted comparisons take place.
>
> Oh. If that's the case I must have misunderstood the bugtraq thread :(
You didn't. The major bug is that the affected commercial SSH version
makes no attempt to check for *'d accounts. The absence of this check
and the presence of a bug in the comparison of the return from crypt
with the contents of the encrypted password hash combine to generate a
situation where any password will be accepted if the crypted string is
two or more characters.
A quick check shows that if I were running the vulnerable ssh, the
accounts accessible on my machine would be:-
bin *
daemon *
adm *
lp *
sync *
shutdown *
halt *
mail *
news *
uucp *
operator *
games *
gopher *
ftp *
nobody *
gdm !!
postgres !!
mysql !!
named !!
Hmmm - not good. Full details at :-
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26start%3D2001-07-15%26threads%3D0%26mid%3D198404%26fromthread%3D0%26end%3D2001-07-21%26
Mike.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list