lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100601100300.GD2837@polymnia.joachimschipper.nl>
Date: Tue, 1 Jun 2010 12:03:00 +0200
From: Joachim Schipper <joachim@...chimschipper.nl>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: PuTTY private key passphrase stealing attack

On Tue, Jun 01, 2010 at 02:47:07AM +0200, Jan Schejbal wrote:
> PuTTY, a SSH client for Windows, requests the passphrase to the ssh
> key in the console window used for the connection. This could allow
> a malicious server to gain access to a user's passphrase by spoofing
> that prompt.

> Developer notification:
> The possibility of such spoofing attacks is known:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html

> Other software affected:
> Probably many console-based SSH tools have similar issues.

This was also discussed in the context of OpenSSH; I am familiar with
http://thread.gmane.org/gmane.network.openssh.devel/16488/focus=16497,
but that was probably not the first time either.

		Joachim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ