search for: c0r3dump3d

...ity present in the bug, it's possible in certain circumstances to provoke a DOS condition in the access to the ssh server, I made a brief study of this possibility here: https://www.devconsole.info/?p=382 and included this attack in my tool that exploit this vulnerability: https://github.com/c0r3dump3d/osueta It's necessary to request another CVE-ID for the DOS attack? At least, I think it should be clarified in the announce of the vulnerability. Regards.

...sh hash of "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all passwords were checked against this to prevent timing analysis for user enumeration. On 20 July 2016 at 19:45, Darren Tucker <dtucker at zip.com.au> wrote: > On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at autistici.org> > wrote: > > Hi, sorry I don't know if I send this to the correct channel. > > It is. > > [..] > > it's possible in certain circumstances to provoke a DOS > > condition in the access to the ssh server. > > We have been...

On Thu, Jul 21, 2016 at 1:34 PM, Selphie Keller <selphie.keller at gmail.com> wrote: > yeah I like this idea, fixes the issue with blowfish hashes and non root > passwords, maybe random delay as the final fall back if no salts/passwords > are found. Well if there are no accounts with a valid salt then there's also no valid account to compare the timing of invalid accounts

Hi, OpenSSH 5.3 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is