SSH 1.2.25/HP-UX 10.20 Vulnerability

[security () SIAMRELAY COM (Security Research Team)]

__________________________________________________________

      S.A.F.E.R. Security Bulletin 980907.EXP.1.1
__________________________________________________________


TITLE: Vulnerability with HP-UX 10.20 and SSH 1.2.25
DATE: September 7, 1998
NATURE: Local compromise (remote under some circumstances)
PLATFORMS: HP-UX 10.20 (possibly other versions of HP-UX)

DETAILS:

A vulnerability exists in HP-UX systems (tested on 10.20 that was converted
to "trusted system") using SSH 1.2.25.

When administrator creates a new user using SAM, no password is assigned,
but a random number is generated which the user needs to input upon first
login.

However, if user connects via SSH using newly created username, no password
authentication is performed and user automatically drops into shell.

This can be especially dangerous on systems where users are added on a
daily basis (universities for example) and other users aware of this bug
could gain access to newly created accounts (remote users could gain
information about new users using finger command, for example).

FIXES:

SSH 1.2.26 is available for over a month now (this problem has been fixed).
Also, version 2.0 of SSH is released (completely rewritten).

They are available for download at: ftp://ftp.cs.hut.fi/pub/ssh/


__________________________________________________________

   S.A.F.E.R. - Security Alert For Entreprise Resources
          Copyright (c) 1998  Siam Relay Ltd.
 http://siamrelay.com/safer  ---  security () siamrelay com
__________________________________________________________