Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PuTTY private key passphrase stealing attack

From: Joachim Schipper <joachim () joachimschipper nl>
Date: Tue, 1 Jun 2010 12:03:00 +0200
On Tue, Jun 01, 2010 at 02:47:07AM +0200, Jan Schejbal wrote:

PuTTY, a SSH client for Windows, requests the passphrase to the ssh
key in the console window used for the connection. This could allow
a malicious server to gain access to a user's passphrase by spoofing
that prompt.



Developer notification:
The possibility of such spoofing attacks is known:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html



Other software affected:
Probably many console-based SSH tools have similar issues.


This was also discussed in the context of OpenSSH; I am familiar with
http://thread.gmane.org/gmane.network.openssh.devel/16488/focus=16497,
but that was probably not the first time either.

                Joachim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: