One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4 allows remote attackers to determine the existence of user accounts by printing random passphrases if the user account does not exist and static passphrases if the user account does exist.
CVE-2001-1483 exposes a critical vulnerability in OPIE versions 2.32 and 2.4, allowing remote attackers to enumerate user accounts. By observing the passphrase output, attackers can definitively determine if a user account exists, facilitating account enumeration and paving the way for further attacks like brute-force password guessing or targeted phishing campaigns.
Step 1: Target Identification: The attacker identifies a system running OPIE 2.32 or 2.4. Step 2: Authentication Attempt: The attacker attempts to authenticate to the system using a username. Step 3: Passphrase Observation: The attacker observes the passphrase generated by OPIE. Step 4: Account Enumeration: If a static passphrase is returned, the attacker confirms the existence of the user account. If a random passphrase is returned, the attacker determines the user account does not exist. Step 5: Iteration (Optional): The attacker repeats steps 2-4 with different usernames to enumerate all valid user accounts.
The vulnerability stems from a flawed implementation in OPIE's authentication process. Specifically, the software differentiates between valid and invalid user accounts by the type of passphrase generated. When a valid user attempts to authenticate, a static passphrase is provided. Conversely, if an invalid user attempts to authenticate, a random passphrase is generated. This difference in behavior allows attackers to determine the existence of a user account by observing the output. The root cause is a lack of proper input validation and a failure to handle error conditions consistently, leading to information leakage. The core issue is the information disclosure vulnerability, where the system provides distinct responses based on the existence of a user account, revealing sensitive information.