OpenSSH 3.4p1 Allows Revealing of Password (Privsep Feature) ------------------------------------------------------------------------ SUMMARY During authentication, OpenSSH 3.4p1 with privsep enabled passes the cleartext password from the main process to the privsep child using a pipe. Using strace or truss, root can see the user's plaintext password flying by. Andrew observed this behavior from OpenSSH 3.4p1 built using GCC on Solaris 2.8 and the current Debian OpenSSH 3.4p1 package. DETAILS The level of effort to determine clear text passwords, for even the most inexperienced UNIX administrator, is almost zero given the above. Andrew realizes that no matter how you slice it, it will be possible for root to grab the password from wherever it is stored in memory. Alternatively, recompile SSHd to log the password, or any number of other ways. However, the methods Andrew just mentioned all require someone with significantly more know how than: truss -fp `cat /var/run/sshd.pid` Vendor response: Theo and Markus told Andrew that this is not an issue. Theo says that you cannot prevent root from determining a user's password. Andrew does not disagree but asked why OpenBSD bothers to encrypt user passwords at all if that is his attitude. ADDITIONAL INFORMATION The information has been provided by <mailto:[EMAIL PROTECTED]> Andrew Danforth. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [EMAIL PROTECTED] In order to subscribe to the mailing list, simply forward this email to: [EMAIL PROTECTED] ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
