Bugtraq mailing list archives
ssh-1.2.27 fails to check size of RSA-key
From: markus.friedl () INFORMATIK UNI-ERLANGEN DE (Markus Friedl)
Date: Fri, 5 Nov 1999 08:56:32 +0100
While developing OpenSSH Niels Provos <provos () openbsd org> has discovered the following flaw in ssh-1.2.27. Older versions may be affected, too: During connection setup the ssh-server sends it's public host key information to the client. This information consists of the RSA parameters 'e', 'n' and the size of 'n' in bits. The ssh-1.2.27 client does not check whether the announced size is equal to the actual size of 'n' and blindly uses the supplied information, displays it to the user and saves the information in the ~/.ssh/known_hosts file. Thus it is possible for a malicious server to announce a parameter size of 1024 bits while actually transmitting a host key with only 1017 bits (the 7 most significant bits are set to 0). While this _may_ not be actively exploitable it is at least misleading, since the user thinks he is using a 'more' secure key. Needless to mention that OpenSSH does check the actual size of the transmitted parameter 'n'. MfG, -markus
Current thread:
- ssh-1.2.27 fails to check size of RSA-key Markus Friedl (Nov 04)