[Full-Disclosure] Re: [ GLSA 200408-04 ] PuTTY: Pre-authentication arbitrary code execution

From: harry (Rik.Bobbaers_at_cc.kuleuven.ac.be)
Date: 08/06/04

  • Next message: Feher Tamas: "[Full-Disclosure] Finally the truth slips out." 
    To: full-disclosure@lists.netsys.com
Date: Fri, 06 Aug 2004 11:28:53 +0200

    Sune Kloppenborg Jeppesen wrote:
    <snip>
    > Description
    > ===========
    >
    > PuTTY contains a vulnerability allowing a malicious server to execute
    > arbitrary code on the connecting client before host key verification.
    >
    > Impact
    > ======
    >
    > When connecting to a server using the SSH2 protocol an attacker is able
    > to execute arbitrary code with the permissions of the user running
    > PuTTY by sending specially crafted packets to the client during the
    > authentication process but before host key verification.

    <snip>

    does this mean that everyone on the network can execute arbitrary code
    on the victim's machine by simply doing a man in the middle attack?

    what other security issues are attached to this? is it only a
    vulnerability if the server you're on is not trusted? (in that case, you
    shouldn't even trust the ssh deamon and you shouldn't be there :)) 

    -- 
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
Rik.Bobbaers@cc.kuleuven.ac.be -=- http://harry.ulyssis.org
"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Feher Tamas: "[Full-Disclosure] Finally the truth slips out."

    Relevant Pages

    • [Full-Disclosure] ALLO ALLO WS_FTP Server
      ... Advisory Name: ALLO ALLO WS_FTP Server ... Arbitrary code execution as SYSTEM ... we can overwrite the return address and execute arbitrary code as ...
      (Full-Disclosure)
    • ALLO ALLO WS_FTP Server
      ... Advisory Name: ALLO ALLO WS_FTP Server ... Arbitrary code execution as SYSTEM ... we can overwrite the return address and execute arbitrary code as ...
      (Full-Disclosure)
    • ALLO ALLO WS_FTP Server
      ... Advisory Name: ALLO ALLO WS_FTP Server ... Arbitrary code execution as SYSTEM ... we can overwrite the return address and execute arbitrary code as ...
      (Bugtraq)
    • [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
      ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Bugtraq)
    • [Full-Disclosure] [ GLSA 200407-11 ] wv: Buffer overflow vulnerability
      ... A buffer overflow vulnerability exists in the wv library that can allow ... an attacker to execute arbitrary code with the privileges of the user ... trigger the vulnerable code and execute it's own arbitrary code. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Full-Disclosure)