Re: BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)

[Damien Miller <djm () mindrot org>]

BTW this is an old bug, that was discussed on bugtraq last year.

Felipe Neuwald wrote:
> Hello Folks,
>
> I tested only versions OpenSSH_3.5p1 (FreeBSD-STABLE), but it also work
> on other versions, as published May 01, 2003.

This bug existed in the PAM code of portable OpenSSH (not the OpenBSD
version), and was fixed before 3.7p1.

> It's easy to make one little program to discover with bruteforce the
> correct password of the root login. If the attacker have physical access
> to the system, it's very easy own the system.

You will likely be waiting a good while to guess any non-trivial
password.

This bug only exposes additional information when you find the
correct root password. You still have to search the entire keyspace with
no feedback to speed the search and you will have to reconnect every
three guesses.

Therefore, I don't agree that the impact of this old bug would make it
"very easy to own the system".

-d