Re: ssh

[Michal Zalewski <lcamtuf () coredump cx>]

On Thu, 7 Feb 2002, Olaf Kirch wrote:

> I understand the maths behind this, but I can't quite see a practical
> attack. If the attacker wants to guess a plaintext block P_i transmitted
> by the SSH client, he must feed his plaintext block P_(i+1) to the ssh
> client on standard input, so that it is properly encrypted and then
> transmitted. This implies a great deal of control over the client
> process (such as the ability to write to the client's standard input).

Well, in some cases, this might be possible. For example, when some
protocol is tunneled over ssh - irc, smtp, pop3, and so on, and so on.
Pretty common application. In many cases, a block of at least partially
sensitive information (private messages, mails, etc) can be followed by
attacker-induced block (irc ping responses, smtp return envelope,
whatever). Of course, this usually does not apply to any interactive
sessions - some might argue that users are often predictable, e.g. always
type 'ls' after logging in, but...

> I don't say it's not a problem, but I think this is exagerating things
> a bit.

That's a different thing ;-)

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/