Bug#281595: timing attack allows attacker to determine valid usernames

[Colin Watson <cjwatson@debian.org>]

On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
> 
> The problem is not exactly the same, though.  In this case, it's partly 
> because the keyboard-interactive code doesn't call the kbdint driver at 
> all in this case.  The first attached patch ought to fix that.
> 
> With that fixed, a change to the PAM code is required because it will 
> complete for a real user with their real password if, eg they are listed 
> in DenyUsers.  This will result in the PAM code getting out of sync with 
> the kbdint code, resulting in the authentication hanging.  The second 
> patch ought to fix that.
> 
> I haven't done much testing of either patch, so please let me know how 
> they go.

Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthentication; the patch is attached. It seems to work for me.
After a bit more testing I'll upload this to unstable.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Index: auth-pam.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth-pam.c,v
retrieving revision 1.10
diff -p -u -r1.10 auth-pam.c
--- auth-pam.c	10 Jul 2004 12:36:49 -0000	1.10
+++ auth-pam.c	27 Nov 2004 17:25:56 -0000
@@ -169,6 +169,7 @@ static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
+static char badpw[] = "\b\n\r\177INCORRECT";
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, cha
 		return (-1);
 	}
 	buffer_init(&buffer);
-	buffer_put_cstring(&buffer, *resp);
+	if (sshpam_authctxt->valid)
+		buffer_put_cstring(&buffer, *resp);
+	else
+		buffer_put_cstring(&buffer, badpw);
 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
 		buffer_free(&buffer);
 		return (-1);
Index: auth2-chall.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth2-chall.c,v
retrieving revision 1.1.1.3
diff -p -u -r1.1.1.3 auth2-chall.c
--- auth2-chall.c	17 Sep 2003 00:31:55 -0000	1.1.1.3
+++ auth2-chall.c	27 Nov 2004 17:25:57 -0000
@@ -275,12 +275,9 @@ input_userauth_info_response(int type, u
 	}
 	packet_check_eom();
 
-	if (authctxt->valid) {
-		res = kbdintctxt->device->respond(kbdintctxt->ctxt,
-		    nresp, response);
-	} else {
-		res = -1;
-	}
+	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
+	if (!authctxt->valid)
+		res = 1;	/* keep going if login invalid */
 
 	for (i = 0; i < nresp; i++) {
 		memset(response[i], 'r', strlen(response[i]));
@@ -292,7 +289,7 @@ input_userauth_info_response(int type, u
 	switch (res) {
 	case 0:
 		/* Success! */
-		authenticated = 1;
+		authenticated = authctxt->valid ? 1 : 0;
 		break;
 	case 1:
 		/* Authentication needs further interaction */
Index: debian/changelog
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/debian/changelog,v
retrieving revision 1.108
diff -p -u -r1.108 changelog
--- debian/changelog	12 Nov 2004 11:17:20 -0000	1.108
+++ debian/changelog	27 Nov 2004 17:25:57 -0000
@@ -1,3 +1,11 @@
+openssh (1:3.8.1p1-8.sarge.4) UNRELEASED; urgency=low
+
+  * Fix timing information leak allowing discovery of invalid usernames in
+    PAM keyboard-interactive authentication (backported from a patch by
+    Darren Tucker; closes: #281595).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 27 Nov 2004 16:19:21 +0000
+
 openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low
 
   * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).