Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: PuTTY private key passphrase stealing attack
From: Joachim Schipper <joachim () joachimschipper nl>
Date: Tue, 1 Jun 2010 12:03:00 +0200

On Tue, Jun 01, 2010 at 02:47:07AM +0200, Jan Schejbal wrote:
PuTTY, a SSH client for Windows, requests the passphrase to the ssh
key in the console window used for the connection. This could allow
a malicious server to gain access to a user's passphrase by spoofing
that prompt.

Developer notification:
The possibility of such spoofing attacks is known:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html

Other software affected:
Probably many console-based SSH tools have similar issues.

This was also discussed in the context of OpenSSH; I am familiar with
http://thread.gmane.org/gmane.network.openssh.devel/16488/focus=16497,
but that was probably not the first time either.

                Joachim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault