Re: AIX password enumeration possible

[alex medvedev <alexm () pycckue org>]

Hallo,

I think the privilege escalation risk here is not higher than
remote password brut forcing.

One only gets msg 3004-306 when she supplied the password correctly.
This unique response does not "allow an attacker to determine
the password" but simply states that the password was correct.

Assuming an account is not remote login disabled:
Don't you get a shell prompt when the correct passwd has been entered?
Same here: user enters right passwd --> she gets the right message.

Also, by the time you pick the passwd the AIX admin will have got you
for filling up his root filesystem as each unsuccessful attempt adds
about 650 bytes to /etc/security/failedlogin.
Default AIX rootfs is 2 PP, which is usually 2x16=32 MB, i.e. it won't be
long.

Or should I stop smoking crack?

-alexm
14:45 11/02/2004

On 6 Feb 2004, Scott J wrote:

> This advisory first submitted to BugTraq July 2003 - rejected but since a less detailed post on this subject made it 
> to the list as a reply and there have been subsequent inquiries regarding it off-list, there may be interest in 
> placing this on the list now.
> Email exchanges with BugTraq personnel (in July of last year) were the source of info that indicated Solaris may 
> suffer from the same issue.
> Currently, BPR personnel can neither confirm or deny this behaviour exists in any OS other than AIX of versions 
> mentioned below.
>
> ---------------- BinaryPowered Research advisory 2003-01 -----------------
> This advisory may be reproduced and redistributed in any manner.
> BPR and the author(s) of this advisory assume no liability for any misuse
> of information contained in this advisory.  Neither BPR nor the author(s) are in any
> way liable for any damages caused by or believed to arise from
> this advisory.
> ---------------- BinaryPowered Research advisory 2003-01 -----------------
>
> Abstract:           Remote password enumeration possible for
>                     accounts not permitted direct login in AIX
> Affected Systems:   AIX 4.3.3 and AIX 5.1, likely other levels of AIX
> Vendor:             International Business Machines Corporation (IBM)
> Severity:           Low
> Result:             Privilege escalation possible in some circumstances
> Vendor Notified:    YES
> Vendor Response:    Within one day
> Patch Issued:       None available.
> Release date:       2003-07-17
> Rereleased:         2004-02-06
>
> --------------------------------------------------------------------------
>
> Discussion:
>
> During some configuration change and testing of AIX for a client, BPR discovered that it is possible to remotely 
> enumerate the passwords of a known AIX account.  The only configuration change required to allow this to happen in 
> AIX is to disable remote logins for a given account (via the command "chuser rlogin=false a_userid").  If a remote 
> attacker tries to connect to the vulnerable machine with an incorrect password  (but a known correct account name), 
> the response from AIX will be:
> "3004-007 You entered an invalid login name or password."
> In the case that the correct password is provided, the response is as follows:
> "3004-306 Remote logins are not allowed for this account."
> This different, unique response allows an attacker to determine the password of the account in question.

<deleted...>