[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] PuTTY private key passphrase stealing attack

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
From: Joachim Schipper <joachim@xxxxxxxxxxxxxxxxxx>
Date: Tue, 1 Jun 2010 12:03:00 +0200

On Tue, Jun 01, 2010 at 02:47:07AM +0200, Jan Schejbal wrote:
> PuTTY, a SSH client for Windows, requests the passphrase to the ssh
> key in the console window used for the connection. This could allow
> a malicious server to gain access to a user's passphrase by spoofing
> that prompt.

> Developer notification:
> The possibility of such spoofing attacks is known:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html

> Other software affected:
> Probably many console-based SSH tools have similar issues.

This was also discussed in the context of OpenSSH; I am familiar with
http://thread.gmane.org/gmane.network.openssh.devel/16488/focus=16497,
but that was probably not the first time either.

                Joachim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] PuTTY private key passphrase stealing attack
  - From: Jan Schejbal

Prev by Date: Re: [Full-disclosure] The_UT is repenting
Next by Date: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Previous by thread: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Next by thread: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Index(es):
- Date
- Thread