[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] PuTTY private key passphrase stealing attack

To: Jan Schejbal <jan.mailinglisten@xxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
From: Borja Marcos <borjam@xxxxxxxxxx>
Date: Tue, 1 Jun 2010 12:37:16 +0200

On Jun 1, 2010, at 2:47 AM, Jan Schejbal wrote:

> PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in 
> the console window used for the connection. This could allow a malicious 
> server to gain access to a user's passphrase by spoofing that prompt.
> 
> We assume that the user is using key-bases ssh auth with ssh and connects 
> using PuTTY. PuTTY now asks for the passphrase to the key. The user enters 
> the passphrase. If the passphrase is wrong, PuTTY will now request the 
> passphrase again after stating that it was wrong. If the passphrase is 
> correct, the connection to the server is established.

This kind of attack is a real classic, the in-band problem inherent to any text 
terminal. Reading of the venerable and now forgotten classic by Wood and 
Kochan, "Unix System Security", published in 1985 should still be mandatory. 
Moreover, many of these in-band risks are applicable to window systems, which 
exhibit even worse properties. See the fuss with "tab-nabbing" now.

Borja.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] PuTTY private key passphrase stealing attack
  - From: Jan Schejbal

Prev by Date: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Next by Date: [Full-disclosure] Applicure dotDefender 4.0 administrative interface cross site scripting
Previous by thread: Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Next by thread: [Full-disclosure] The_UT is repenting
Index(es):
- Date
- Thread