Vulnerability Development mailing list archives

Re: ssh

From: Olaf Kirch <okir () caldera de>
Date: Thu, 7 Feb 2002 10:37:41 +0100

On Wed, Feb 06, 2002 at 05:36:41PM -0500, Jose Nazario wrote:

The attack itself is very simple. Remember that in CBC mode, each
plaintext block is XOR'ed with the last ciphertext block and then
encrypted to produce the next ciphertext block. Suppose the attacker
suspects that plaintext block P_i might be x, and wants to test whether
that's the case, he would choose the next plaintext block P_j to be x
XOR C_(i-1) XOR C_(j-1). If his guess is correct, then C_j = Encrypt(P_j
XOR C_(j-1)) = Encrypt(P_i XOR C_(i-1)) = C_i, and so he can confirm his
guess by looking at whether C_j = C_i.


I understand the maths behind this, but I can't quite see a practical
attack. If the attacker wants to guess a plaintext block P_i transmitted
by the SSH client, he must feed his plaintext block P_(i+1) to the
ssh client on standard input, so that it is properly encrypted and then
transmitted. This implies a great deal of control over the client process
(such as the ability to write to the client's standard input).

Maybe I'm dense, but I can't think of many scenarios where an attacker
can get this type of control. Either someone or something establishes
an SSH connection, transmits The Secret and then relinquishes control
of the session to the attacker (which is not a very common use of SSH),
or the attacker obtains control of a user's terminal (hijacking e.g.
the xterm), or of the ssh client process itself. In the latter two cases,
The Secret can usually be retrieved much more conveniently through
traditional methods.

At any rate, I believe this can be used as a local exploit only.

However even with this and other potential constraints it seems very
possible for the attacker to succeed in some situations. So I suggest


I don't say it's not a problem, but I think this is exagerating things
a bit. I cannot see this problem being exploited for most "normal" uses
of ssh (remote login and file copy). Tunneling other protocols through
an SSH connection may be a different issue, but it still seems a bit
far-fetched.

Olaf
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Current thread:

ssh -l0rt- (Feb 06)
- Re: ssh Jose Nazario (Feb 06)
  - Re: ssh -l0rt- (Feb 06)
    - Re: ssh Jose Nazario (Feb 06)
    - Re: ssh Jose Nazario (Feb 06)
    - Re: ssh Olaf Kirch (Feb 07)
    - Re: ssh Jose Nazario (Feb 07)
    - Re: ssh Michal Zalewski (Feb 07)
    - HTTP 1.1 TRACE Command Clinton Smith (Feb 07)
    - Re: HTTP 1.1 TRACE Command Clinton Smith (Feb 08)