Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: PuTTY private key passphrase stealing attack
From: Borja Marcos <borjam () sarenet es>
Date: Tue, 1 Jun 2010 12:37:16 +0200


On Jun 1, 2010, at 2:47 AM, Jan Schejbal wrote:

PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in the console window used for the 
connection. This could allow a malicious server to gain access to a user's passphrase by spoofing that prompt.

We assume that the user is using key-bases ssh auth with ssh and connects using PuTTY. PuTTY now asks for the 
passphrase to the key. The user enters the passphrase. If the passphrase is wrong, PuTTY will now request the 
passphrase again after stating that it was wrong. If the passphrase is correct, the connection to the server is 
established.

This kind of attack is a real classic, the in-band problem inherent to any text terminal. Reading of the venerable and 
now forgotten classic by Wood and Kochan, "Unix System Security", published in 1985 should still be mandatory. 
Moreover, many of these in-band risks are applicable to window systems, which exhibit even worse properties. See the 
fuss with "tab-nabbing" now.





Borja.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]