Full Disclosure mailing list archives
Re: PuTTY private key passphrase stealing attack
From: Joachim Schipper <joachim () joachimschipper nl>
Date: Tue, 1 Jun 2010 12:03:00 +0200
On Tue, Jun 01, 2010 at 02:47:07AM +0200, Jan Schejbal wrote:
PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in the console window used for the connection. This could allow a malicious server to gain access to a user's passphrase by spoofing that prompt.
Developer notification: The possibility of such spoofing attacks is known: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html
Other software affected: Probably many console-based SSH tools have similar issues.
This was also discussed in the context of OpenSSH; I am familiar with http://thread.gmane.org/gmane.network.openssh.devel/16488/focus=16497, but that was probably not the first time either. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: PuTTY private key passphrase stealing attack halfdog (Jun 01)
- <Possible follow-ups>
- Re: PuTTY private key passphrase stealing attack Benji (Jun 01)
- Re: PuTTY private key passphrase stealing attack Joachim Schipper (Jun 01)
- Re: PuTTY private key passphrase stealing attack Borja Marcos (Jun 01)
- Re: PuTTY private key passphrase stealing attack rapper crazy (Jun 02)
- Re: PuTTY private key passphrase stealing attack Joachim Schipper (Jun 02)
- Re: PuTTY private key passphrase stealing attack paul . szabo (Jun 02)
- Re: PuTTY private key passphrase stealing attack Marsh Ray (Jun 02)
- Re: PuTTY private key passphrase stealing attack Jan Schejbal (Jun 03)
- Re: PuTTY private key passphrase stealing attack Joachim Schipper (Jun 02)