bug on openssh 3.5p1

marco.ortisi at flashcom.it marco.ortisi at flashcom.it
Sat Nov 9 03:19:28 EST 2002 

Excuse me in advance for my poor english

I have noted a small bug on OpenSSH 3.5p1. When user root is not
permitted to log in a system (PermitRoot no) and a correct password
is submitted for it to server, a RST packet is issued from server to client: 

[root at xxx root]# ssh victim
root at victim's password:
Permission denied, please try again.
root at victim's password:
Permission denied, please try again.
.........
root at victim's password:
Read from remote host 10.12.7.110: Connection reset by peer
Connection to victim closed. 


tcpdump session: 

12:17:32.650039 attacker.32804 > victim.22: S 1378959426:1378959426(0) win 
5840
12:17:32.650538 victim.22 > attacker.32804: S 671772074:671772074(0)
               ack 1378959427 win 5792
12:17:32.650627 attacker.32804 > victim.22: . ack 1 win 5840
12:17:32.651741 victim.22 > attacker.32804: P 1:24(23) ack 1 win 5792
12:17:32.652078 attacker.32804 > victim.22: . ack 24 win 5840
12:17:32.652552 attacker.32804 > victim.22: P 1:23(22) ack 24 win 5840
12:17:32.652665 victim.22 > attacker.32804: . ack 23 win 5792
12:17:32.653418 attacker.32804 > victim.22: P 23:567(544) ack 24 win 5840
12:17:32.653684 victim.22 > attacker.32804: . ack 567 win 6528
12:17:32.654515 victim.22 > attacker.32804: P 24:568(544) ack 567 win 6528
12:17:32.654976 attacker.32804 > victim.22: P 567:591(24) ack 568 win 6528
12:17:32.660227 victim.22 > attacker.32804: P 568:992(424) ack 591 win 6528
12:17:32.696527 attacker.32804 > victim.22: P 591:1007(416) ack 992 win 7616
12:17:32.729500 victim.22 > attacker.32804: . ack 1007 win 7616
12:17:32.731171 victim.22 > attacker.32804: P 992:1728(736) ack 1007 win 
7616
12:17:32.769467 attacker.32804 > victim.22: . ack 1728 win 8832
12:17:32.776527 attacker.32804 > victim.22: P 1007:1023(16) ack 1728 win 
8832
12:17:32.776642 victim.22 > attacker.32804: . ack 1023 win 7616
12:17:32.777104 attacker.32804 > victim.22: P 1023:1071(48) ack 1728 win 
8832
12:17:32.777226 victim.22 > attacker.32804: . ack 1071 win 7616
12:17:32.777326 victim.22 > attacker.32804: P 1728:1776(48) ack 1071 win 
7616
12:17:32.777711 attacker.32804 > victim.22: . ack 1776 win 8832
12:17:32.778119 attacker.32804 > victim.22: P 1071:1135(64) ack 1776 win 
8832
12:17:32.782956 victim.22 > attacker.32804: P 1776:1856(80) ack 1135 win 
7616
12:17:32.783357 attacker.32804 > victim.22: P 1135:1231(96) ack 1856 win 
8832
12:17:32.783594 victim.22 > attacker.32804: P 1856:1936(80) ack 1231 win 
7616
12:17:32.822179 attacker.32804 > victim.22: . ack 1936 win 8832
12:17:44.779338 attacker.32804 > victim.22: P 1231:1375(144) ack 1936 win 
8832
12:17:44.782988 victim.22 > attacker.32804: P 1936:1968(32) ack 1375 win 
7616
12:17:44.783015 attacker.32804 > victim.22: . ack 1968 win 8832
12:17:44.783402 attacker.32804 > victim.22: P 1375:1439(64) ack 1968 win 
8832
12:17:44.784724 victim.22 > attacker.32804: R 1968:1968(0) ack 1439 win 7616 

This behavior can be used for root's password brute force attack. 

In OpenSSH 3.4 and low version the correct behavior was this: 

[root at xxx root]# ssh victim
root at victim's password:
Permission denied, please try again.
root at victim's password:
Permission denied, please try again.
root at victim's password:
Permission denied (publickey,password,keyboard-interactive).
[root at ghetuetto root]# 

12:18:36.066006 attacker.32805 > victim.22: S 1441357334:1441357334(0) win 
5840
12:18:36.066132 victim.22 > attacker.32805: S 733426253:733426253(0)
               ack 1441357335 win 5792
12:18:36.066187 attacker.32805 > victim.22: . ack 1 win 5840
12:18:36.067281 victim.22 > attacker.32805: P 1:24(23) ack 1 win 5792
12:18:36.067344 attacker.32805 > victim.22: . ack 24 win 5840
12:18:36.068190 attacker.32805 > victim.22: P 1:23(22) ack 24 win 5840
12:18:36.068309 victim.22 > attacker.32805: . ack 23 win 5792
12:18:36.069017 attacker.32805 > victim.22: P 23:567(544) ack 24 win 5840
12:18:36.069287 victim.22 > attacker.32805: . ack 567 win 6528
12:18:36.070158 victim.22 > attacker.32805: P 24:568(544) ack 567 win 6528
12:18:36.070640 attacker.32805 > victim.22: P 567:591(24) ack 568 win 6528
12:18:36.075567 victim.22 > attacker.32805: P 568:992(424) ack 591 win 6528
12:18:36.111904 attacker.32805 > victim.22: P 591:1007(416) ack 992 win 7616
12:18:36.146240 victim.22 > attacker.32805: P 992:1728(736) ack 1007 win 
7616
12:18:36.183531 attacker.32805 > victim.22: . ack 1728 win 8832
12:18:36.191387 attacker.32805 > victim.22: P 1007:1023(16) ack 1728 win 
8832
12:18:36.226436 victim.22 > attacker.32805: . ack 1023 win 7616
12:18:36.226489 attacker.32805 > victim.22: P 1023:1071(48) ack 1728 win 
8832
12:18:36.226602 victim.22 > attacker.32805: . ack 1071 win 7616
12:18:36.226709 victim.22 > attacker.32805: P 1728:1776(48) ack 1071 win 
7616
12:18:36.227105 attacker.32805 > victim.22: . ack 1776 win 8832
12:18:36.227506 attacker.32805 > victim.22: P 1071:1135(64) ack 1776 win 
8832
12:18:36.232244 victim.22 > attacker.32805: P 1776:1856(80) ack 1135 win 
7616
12:18:36.232646 attacker.32805 > victim.22: P 1135:1231(96) ack 1856 win 
8832
12:18:36.232877 victim.22 > attacker.32805: P 1856:1936(80) ack 1231 win 
7616
12:18:36.271398 attacker.32805 > victim.22: . ack 1936 win 8832
12:18:40.784165 attacker.32805 > victim.22: P 1231:1375(144) ack 1936 win 
8832
12:18:40.817684 victim.22 > attacker.32805: . ack 1375 win 7616
12:18:43.138984 victim.22 > attacker.32805: P 1936:2016(80) ack 1375 win 
7616
12:18:43.139018 attacker.32805 > victim.22: . ack 2016 win 8832
12:19:00.035910 attacker.32805 > victim.22: P 1375:1519(144) ack 2016 win 
8832
12:19:00.036060 victim.22 > attacker.32805: . ack 1519 win 7616
12:19:02.383905 victim.22 > attacker.32805: P 2016:2096(80) ack 1519 win 
7616
12:19:02.383954 attacker.32805 > victim.22: . ack 2096 win 8832
12:19:22.108082 attacker.32805 > victim.22: P 1519:1663(144) ack 2096 win 
8832
12:19:22.108250 victim.22 > attacker.32805: . ack 1663 win 7616
12:19:24.459964 victim.22 > attacker.32805: P 2096:2176(80) ack 1663 win 
7616
12:19:24.460016 attacker.32805 > victim.22: . ack 2176 win 8832
12:19:24.460332 attacker.32805 > victim.22: F 1663:1663(0) ack 2176 win 8832
12:19:24.460536 victim.22 > attacker.32805: F 2176:2176(0) ack 1664 win 7616
12:19:24.460591 attacker.32805 > victim.22: . ack 2177 win 8832 

Regards,
Marco Ortisi

More information about the openssh-unix-dev mailing list