search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Passwords sent via SSH encrypted with RC4 can be easily cracked

Vulnerability Note VU#565052

Original Release Date: 2001-01-18 | Last Revised: 2001-10-25

Overview

Passwords sent using SSH with RC4 encryption can be easily cracked by an attacker who is able to capture and replay the session. This problem occurs for three reasons: SSH sessions can be replayed, the RC4 encryption algorithm has some specific weaknesses, and the SSH daemon provides too much information during the authentication phase of the protocol.

Description

The SSH daemon has an option that will disallow NULL passwords. While enabling this option usually results in improved security (by preventing NULL passwords), it can be used under certain conditions to crack passwords as well.

An attacker launches such an attack with the following steps:

    1. Capture (by sniffing) a legitimate session between the client and the server using RC4 encryption. The only packets needed are those up to and including where the password is sent.
    2. Because of vulnerability VU#665372, the captured session can be replayed to the server for one hour. The attacker replays the captured session until the password packet is about to be sent.
    3. The attacker guesses the first character of the password and modifies the password packet by XORing this guessed character with the first character of the password in the packet. The CRC of the modified packet must be re-computed.
    4. When the modified packet is received by the server and decrypted, if the guess was correct the resulting first character of the password will be NULL. This is because the RC4 encryption algorithm is a stream cipher in which a sequence of random bits are XORed with the plaintext to produce the cipher text. Two identical characters XORed together produce zero, and the random bits in the RC4 stream do not need to be known since the server will correctly "decrypt" this byte.
    5. If the server is configured to reject NULL passwords, and the guess was correct, the server will generate a debugging message indicating that null passwords are not allowed. The attacker now knows the first character of the password. If the guess was incorrect, the server generates a different message, and the attacker goes back to step two and guesses a different character.
    6. Once the attacker knows the first character of the password, they can repeat this process to obtain other characters of the password. They simply need to make some additional changes to the SSH password packet. An SSH password packet (SSH_CMSG_AUTH_PASSWORD) has the following structure:

      Packet length (4 bytes, not encrypted)
      Padding (X bytes, encrypted)
      Packet Type (1 byte, encrypted)
      String Length (4 bytes, encrypted)
      String Value (length bytes, encrypted)
      CRC checksum (4 bytes, encrypted)
    7. To attack the next character of the password, the attacker reduces the packet length by one byte, which is easy since the packet length is not encrypted. This change causes the byte which was previously the packet type to become part of the packet padding, the first byte of the string length to become the packet type, the next three bytes of the string length and the first character of the string value to become the new string length, and so on. The interpretation of each of these bytes is shifted by one when the packet length changes.
    8. The attacker sets the new packet type to the correct type, the new string length to one less than before, and then guess the second character of the password as they did in step three. While this is somewhat more complicated than guessing the first character, it is trivial to compute these values since the same properties of the RC4 algorithm which allowed the first the attacker to guess the first character of the password can be applied to setting the packet type and string length. Specifically, the attacker knows the plaintext of the type field and can easily guess the value of the length field, revealing the "key bytes" of the RC4 stream. Once these bytes are known, new values can be generated. As before, the CRC at the end of the packet must be recomputed.
    9. This process can be repeated, decreasing the packet length and string length by one until the packet padding is eight bytes long. In practice this means that passwords less than seven characters in length can be recovered completely. But for seven character passwords, only the first character can be recovered, and for eight character passwords, only the first two characters can be recovered.

    In another variation of the attack, if the attacker has an account on the same server as the victim, the attacker can set their own password to one character, replay the session, and detect if the first character is correct. They then set their password to two characters in length and replay the session again, detecting the second character. This approach requires changes to the string length field each time, but is more dangerous because it can recover seven and eight character passwords completely.

    In summary, this problem occurs because the RC4 sessions can be replayed within the hour, the RC4 encryption algorithm has some unique features, and because the server generates different messages based on different failure modes during authentication.

    Impact

    The password used during an SSH session encrypted with RC4 can be recovered by an attacker who is able to capture and replay the session.

    Solution

    Do not use RC4 encryption

    Because this vulnerability relies on a feature of RC4 encryption, the attack can be prevented by using a different encryption algorithm.

    Vendor Information

    565052
    Expand all

    SSH Communications Security

    Updated:  February 06, 2001

    Status

      Vulnerable

    Vendor Statement

    RC4 was disabled from SSH Corp.'s distribution in 1997.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    RC4 encryption was disabled in SSH a long time ago. Current versions of SSH do not suffer from this problem since they disallow the use of this algorithm.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenSSH

    Updated:  February 06, 2001

    Status

      Not Vulnerable

    Vendor Statement

    See http://www.openssh.com/security.html

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    The CERT/CC would like to thank Antti Huima, Tuomas Aura, and Janne Salmi for their analysis and Tatu Ylonen for bringing this vulnerability to our attention.

    This document was written by Cory F Cohen.

    Other Information

    CVE IDs: None
    Severity Metric: 3.21
    Date Public: 2001-01-18
    Date First Published: 2001-01-18
    Date Last Updated: 2001-10-25 23:25 UTC
    Document Revision: 11

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.