CVE-2003-0190

OpenSSH < 3.6.1 - Username Enumeration via PAM Timing Attack

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2003-0190. PoCs published by Nicolas Couture, Maurizio Agazzini.

AI-analyzed exploit summary This script exploits a timing vulnerability in OpenSSH <= 3.6.p1 to determine if a user exists on a remote server by comparing response times for valid and invalid users. It uses Expect to automate SSH login attempts and measures the delay to infer user existence.

Description

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

Exploits (3)

exploitdb SCANNER VERIFIED
by Nicolas Couture · bashremotelinux
https://www.exploit-db.com/exploits/26

This script exploits a timing vulnerability in OpenSSH <= 3.6.p1 to determine if a user exists on a remote server by comparing response times for valid and invalid users. It uses Expect to automate SSH login attempts and measures the delay to infer user existence.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH <= 3.6.p1
No auth needed
Prerequisites: Host's public key · Network access to the target SSH server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb SCANNER VERIFIED
by Maurizio Agazzini · cremotelinux
https://www.exploit-db.com/exploits/25

This code is a proof-of-concept scanner for CVE-2003-0190, which exploits a timing discrepancy in OpenSSH/PAM to enumerate valid usernames. It measures the response time for invalid vs. valid users to determine existence.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH/PAM <= 3.6.1p1
No auth needed
Prerequisites: patched OpenSSH client · list of usernames to test · network access to target SSH server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
shellremotemultiple
https://www.exploit-db.com/exploits/3303

This script exploits a timing attack vulnerability in OpenSSH (CVE-2003-0190) to determine valid usernames by measuring response time discrepancies. It uses `expect` to automate SSH login attempts and records the time taken for 'Permission denied' responses.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenSSH-portable 3.6.1p1 and earlier with PAM support
No auth needed
Prerequisites: expect interpreter installed · pre-approved target hostkey · wordlist of usernames
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory mailing-list
http://marc.info/?l=bugtraq&m=105172058404810&w=2
Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry
http://www.securityfocus.com/bid/7467
Third Party Advisory mailing-list
http://marc.info/?l=bugtraq&m=106018677302607&w=2

Scores

EPSS 0.2058
EPSS Percentile 95.7%

Details

CWE
CWE-203
Status published
Products (6)
openbsd/openssh 3.6.1 p1
openbsd/openssh < 3.6.1
openpkg/openpkg 1.2
openpkg/openpkg 1.3
siemens/scalance_x204rna_ecc_firmware < 3.2.7
siemens/scalance_x204rna_firmware < 3.2.7
Published May 12, 2003
Tracked Since Feb 18, 2026