|
|
| Summary |
|---|
| Description: | sshd and rshd leak usernames. A lot of sites security-consious enough to run sshd probably don't want username validation to be this easy |
| Author: | Christophe Kalt <kalt@STEALTH.NET> and David Holland |
| Compromise: | Test validity of suspected system usernames |
| Vulnerable Systems: | Linux, NetBSD, Digital UNIX 4.0, all from rshd, as well as any systems running a vulnerable version of sshd. Remember to use the VERBOSE (-v) flag if you try to exploit sshd. |
| Date: | 13 June 1997 |
| Notes: | The syntax quoted at the bottom is not correct, you need to give an actual command (like ls) for the rsh problem to be demonstrated. |
| Details |
|---|
Date: Sat, 14 Jun 1997 18:22:02 -0400 From: Christophe Kalt <kalt@STEALTH.NET> To: BUGTRAQ@NETSPACE.ORG Subject: Re: rshd gives away usernames ssh also has this problem. The line "Remote: Rhosts/hosts.equiv authentication refused: client user 'kalt', server user 'kalt', client host 'millennium.stealth.net'." only appears when the account exists. (need to run in verbose mode) This might not the case if the remote sshd doesn't allow this particular kind of authentication. I didn't check for other schemes. On Jun 13, David Holland wrote: | Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'. | The error reported is different. | | Therefore, it's possible to determine which account names are valid. | This is an issue only for particularly paranoid sites that probably | already have rshd disabled, but I thought it would be worth issuing a | warning anyway.
| More Exploits! |
|---|
| All OS's | Linux | Solaris/SunOS | Micro$oft |
| *BSD | Macintosh | AIX | IRIX |
| ULTRIX/Digital UNIX | HP/UX | SCO | Remote exploits |