Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

SSH 2.4.0/3.0.1 usernames guessable ?

From: Marco van Berkum <m.v.berkum () obit nl>
Date: Mon, 03 Sep 2001 16:09:35 +0200
Hi,

--- My two cents---

As we were playing a bit with some SSH versions we
came across some interesting 'bugs'. I hope this is not
a 'known' bug, but I wasn't able to find any documentation
regarding this flaw.

I'll show the test from SSH 2.4.0 -> 2.4.0
(non-commercial version)

Making a telnetconnection to see the version:

root@ws:~# telnet test 22
Trying 192.168.1.15...
Connected to test.
Escape character is '^]'.
SSH-1.99-2.4.0 SSH Secure Shell (non-commercial)
^]
telnet> q
Connection closed.

This is my SSH version:

root@ws:~# ssh -V
ssh: SSH Secure Shell 2.4.0 (non-commercial version) on
i686-pc-linux-gnu

Lets try to make a ssh connection for a non existing user:

root@ws:~# ssh blaaaaa@test
blaaaaa's password:
warning: Authentication failed.
Disconnected; connection lost (Connection closed.).

Now I try it for a existing user:

root@ws:~# ssh marco@test
marco's password:
marco's password:
marco's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).

A clear difference in the output.

Now lets try scp with a non existing user.

root@ws:~# touch test.txt
root@ws:~# scp test.txt blaaa@test:/home/blaaa
blaaa@test's password:
scp: warning: ssh2 client failed to authenticate. (or you have too old
ssh2 installed, check with ssh2 -V)
warning: Authentication failed.
Disconnected; connection lost (Connection closed.).
scp: warning: child process (ssh2) exited with code 1.

And now with a existing user

root@ws:~# scp test.txt marco@test:/home/marco
marco@test's password:
marco@test's password:
marco@test's password:
scp: warning: ssh2 client failed to authenticate. (or you have too old
ssh2 installed, check with ssh2 -V)
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
scp: warning: child process (ssh2) exited with code 1.

Again, a clear difference in the output.


--- Christian Schwalm's two cents----

configuration:
moderson: ssh 3.0.1 solaris8/sparc (ssh2)
eldoc: ssh 2.4.0 solaris8/x86 (ssh1/ssh2)

schwalm is a valid user, blaaaaa not. (add or remove some a´s
in blaaaaa .. i didnt count them every time) bla.txt is a normal
textfile containing some random chars. (bla in this case hehe)

scp´ing with correct password works fine in all cases without
any error msgs.

now we do some 3.0.1 -> 2.4.0

# scp bla.txt blaaaaaa@eldoc:/tmp
blaaaaaa@eldoc's password:
scp: warning: ssh2 client failed to authenticate. (or you have too old
ssh2
installed, check with ssh2 -V)
warning: Authentication failed.
Disconnected; connection lost (Connection closed.).
scp: warning: child process (/usr/local/bin/ssh2) exited with code 1.

# scp bla.txt schwalm@eldoc:/tmp
schwalm@eldoc's password:
schwalm@eldoc's password:
schwalm@eldoc's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
scp: warning: ssh2 client failed to authenticate. (or you have too old
ssh2
installed, check with ssh2 -V)
scp: warning: child process (/usr/local/bin/ssh2) exited with code 1.

lets see what happens in case of 2.4.0 -> 3.0.1

# scp bla.txt blaaaaaa@moderson:/tmp
blaaaaaa@moderson's password:
blaaaaaa@moderson's password:
blaaaaaa@moderson's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
scp: warning: child process (ssh2) exited with code 1.

# scp bla.txt schwalm@moderson:/tmp
schwalm@moderson's password:
schwalm@moderson's password:
schwalm@moderson's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
scp: warning: child process (ssh2) exited with code 1.

No difference here.

here we try some 3.0.1 -> 3.0.1

# scp bla.txt schwalm@moderson:/tmp
schwalm@moderson's password:
schwalm@moderson's password:
schwalm@moderson's password:
scp: warning: ssh2 client failed to authenticate. (or you have too old
ssh2 installed, check with ssh2 -V)
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
scp: warning: child process (/usr/local/bin/ssh2) exited with code 1.

# scp bla.txt blaaaaaa@moderson:/tmp
blaaaaaa@moderson's password:
blaaaaaa@moderson's password:
blaaaaaa@moderson's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further
authentication methods available.).
scp: warning: ssh2 client failed to authenticate. (or you have too old
ssh2 installed, check with ssh2 -V)
scp: warning: child process (/usr/local/bin/ssh2) exited with code 1.

Also here a slight difference in the output (different order, tried
several times)

--
Christian `eldoc´ Schwalm
schwalmATinformatikDOTuni-hannoverDOTde
"dont make your programs userfriendly, make your users friendly"

-----

With other words... usernames of ssh 2.4.0 (ssh+scp) and
3.0.1 (scp) are guessable ?!?

keep me informed...

grtz,
Marco van Berkum


--
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
|  Marco van Berkum   |   MB17300-RIPE   | Security Engineer |
|  http://ws.obit.nl  | "Chernobyl used  | Network Admin     |
|  m.v.berkum () obit nl |     Windows"     |      UNIX         |
+---------------------+------------------+-------------------+
Previous By Date Next
Previous By Thread Next

Current thread: