ssh-1.2.27 fails to check size of RSA-key

[markus.friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)]

While developing OpenSSH Niels Provos <provos () openbsd org>
has discovered the following flaw in ssh-1.2.27. Older
versions may be affected, too:

During connection setup the ssh-server sends it's public
host key information to the client. This information
consists of the RSA parameters 'e', 'n' and the size of 'n' in bits.

The ssh-1.2.27 client does not check whether the announced size
is equal to the actual size of 'n' and blindly uses the supplied
information, displays it to the user and saves the information
in the ~/.ssh/known_hosts file.

Thus it is possible for a malicious server to announce a
parameter size of 1024 bits while actually transmitting a
host key with only 1017 bits (the 7 most significant bits
are set to 0).

While this _may_ not be actively exploitable it is at least
misleading, since the user thinks he is using a 'more'
secure key.

Needless to mention that OpenSSH does check the actual size of
the transmitted parameter 'n'.

MfG, -markus