Re: [ GLSA 200408-04 ] PuTTY: Pre-authentication arbitrary code execution

[harry <Rik.Bobbaers () cc kuleuven ac be>]

Sune Kloppenborg Jeppesen wrote:
<snip>
> Description
> ===========
>
> PuTTY contains a vulnerability allowing a malicious server to execute
> arbitrary code on the connecting client before host key verification.
>
> Impact
> ======
>
> When connecting to a server using the SSH2 protocol an attacker is able
> to execute arbitrary code with the permissions of the user running
> PuTTY by sending specially crafted packets to the client during the
> authentication process but before host key verification.

<snip>

does this mean that everyone on the network can execute arbitrary code 
on the victim's machine by simply doing a man in the middle attack?

what other security issues are attached to this? is it only a 
vulnerability if the server you're on is not trusted? (in that case, you 
shouldn't even trust the ssh deamon and you shouldn't be there :))

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
Rik.Bobbaers () cc kuleuven ac be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html