Vigil@nce - OpenSSH: bypassing PermitRootLogin
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who knows the root password, can log in on OpenSSH,
even if the PermitRootLogin=prohibit-password (or
without-password) directive is used.
Impacted products: Copssh, OpenBSD, OpenSSH.
Severity: 1/4.
Creation date: 21/08/2015.
DESCRIPTION OF THE VULNERABILITY
The PermitRootLogin directive of OpenSSH defines if the root user
is allowed to log in:
– yes
– no
– prohibit-password or without-password : authentications with a
password or keyboard-interactive are forbidden
However, when prohibit-password or without-password is used, and
when OpenSSH is compiled with the GSSAPI support, the logic is
inverted in the auth_root_allowed() function of the auth.c file
when the "gssapi-with-mic" authentication method is processed. The
root user can thus authenticate with a password, whereas other
methods fail.
An attacker, who knows the root password, can therefore log in on
OpenSSH, even if the PermitRootLogin=prohibit-password (or
without-password) directive is used.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSH-bypassing-PermitRootLogin-17730