Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords
From: auto68182 () hushmail com
Date: Thu, 30 Jan 2003 07:24:57 -0800
-----BEGIN PGP SIGNED MESSAGE-----
II. DESCRIPTION AbsoluteTelnet, SecureCRT, Entunnel, SecureFx, and PuTTY do not properly scrub memory allowing an attacker with access to memory or a memory dump to retrieve authentication information. When connected via SSH2, an attacker can search memory or a memory dump for logon credentials. Passwords transmitted by PuTTY can be found by searching for the second occurrence of the string "password:". The user's password is stored in plaintext shortly after this string. Passwords transmitted by SecureCRT can be found by searching for the string "ssh-connection". The logon and password is stored in plaintext on the respective sides of this keyword. Passwords transmitted by AbsoluteTelnet can be found by searching for the first occurrence of the string "Password", that lies in a segment of read/write memory. The logon and password is stored in plaintext on the respective sides of this keyword.
Gee, that's a handy vulnerability. Guess what - if I can read an FTP daemon's memory I can recover usernames and passwords too, and encrypted password hashes. If I'm in a windows box and I can dump the putty process's memory I bet you I could just install a keystroke logger anyway. Did someone sell you this 'hole' iDefense ? If so I have a number of similar ones for sale.. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl4EARECAB4FAj45RK4XHGF1dG82ODE4MkBodXNobWFpbC5jb20ACgkQBZyBylmlHvkU cgCfQ/8yhBXNBYveexXvGTE+jn0KOqAAmwUlaSuRVBVWVW1VYOL28CbmJtKJ =VTdI -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords iDEFENSE Labs (Jan 29)
- Re: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Michael Renzmann (Jan 29)
- <Possible follow-ups>
- Re: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords auto68182 (Jan 30)
- RE: iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords David Endler (Jan 30)