Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Serious Security Hole In PuTTY

timothy posted about 10 years ago | from the and-now-it's-fixed dept.

Encryption 72

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

cancel ×

72 comments

Sorry! There are no comments related to the filter you selected.

PuTTY tip (1, Interesting)

Anonymous Coward | about 10 years ago | (#9877795)

Not really related to this particular story, but related to recent versions of PuTTY. If using SSH, you can set up dynamic port forwarding which actually works as a SOCKS5 proxy which can be used by many applications. This means secure email, secure web browsing, secure whatever, wherever you are as long as you have access to SSH.

Re:PuTTY tip (0)

Anonymous Coward | about 10 years ago | (#9877841)

Can you give an example of how to set this up?

Re:PuTTY tip (5, Informative)

Anonymous Coward | about 10 years ago | (#9877955)

Open Putty, Category -> Connection -> SSH -> Tunnels.

In the port forwarding section, add new forwarded port.

Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.

Okay, now you can save your session and start it.

In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.

Re:PuTTY tip (0)

Anonymous Coward | about 10 years ago | (#9878651)

sweet! Thanks!

Re:PuTTY tip (0)

Anonymous Coward | about 10 years ago | (#9879304)

Isnt this only useful if the place you are sshing to can get out on the ports you want to use your app for?

Eg point your browser at port 1080 and make ssh connection to a box, the box needs to then be able to surf on port 80. Also the only encryption is between you and the box not from the box out to tinternet.

any info is nice though :)

Re:PuTTY tip (1, Informative)

Anonymous Coward | about 10 years ago | (#9879494)

Isnt this only useful if the place you are sshing to can get out on the ports you want to use your app for?

Yes, but a lot of servers don't restrict outgoing ports, or it may be YOUR remote server, and you can do what you want with it.

Also the only encryption is between you and the box not from the box out to tinternet.

True, but again, you may be more concerned about your connection from A -> B than from B -> C, especially if A -> B is work/wireless/whatever. At work all people would see is a single connection on port 22, which you could could even move to make it look less like SSH.

Re:PuTTY tip (1)

Morpheuso (762437) | about 10 years ago | (#9891650)

Where does it get tunnelled to? Do you then have to do an SSH connection (the "tunnel") to a remote machine in order for the packets to get sent down the tunnel. Then how does the port forwarding work at the other end? Thanks in advance.

Re:PuTTY tip (0)

Anonymous Coward | about 10 years ago | (#9895891)

Your machine connects to the SSH server, then everything your tunneling exits the server. So, for example, if you browse through this proxy, it appears as if someone on the server were browsing.

Re:PuTTY tip (WinSCP, too?) (2, Informative)

mikehoskins (177074) | about 10 years ago | (#9882077)

I don't know if it's been posted, yet, otherwise mod me down as redunant -- I am prepared for your wrath.

What about WinSCP, which used PuTTY DLLs'?

Nice response time (4, Insightful)

curtisk (191737) | about 10 years ago | (#9877811)

I've used Putty now and again, but I know alot of others that do use it on a daily basis...so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

Re:Nice response time (3, Interesting)

Richard_at_work (517087) | about 10 years ago | (#9881994)

so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).

Re:Nice response time (0)

Anonymous Coward | about 10 years ago | (#9885932)

to the team 6 months ago, and only fixed now :).

At least they fixed it. Some folks do not do that with the code they get paid to write...

Big thanks to the puTTY devs...

Re:Nice response time (4, Informative)

Simon Tatham (66941) | about 10 years ago | (#9888966)

That's true, we didn't mention that anywhere, did we?

We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).

But of course you've only got my word for that...

Re:Nice response time (1)

Simon Tatham (66941) | about 10 years ago | (#9889054)

No, I tell a lie, sorry. The Core advisory [coresecurity.com] does mention it: we were notified on 2004-07-28 and published a fix on 2004-08-03.

Re:Nice response time (1)

Richard_at_work (517087) | about 10 years ago | (#9889124)

Well, it wasnt in the writeup and it isnt immediately obvious on your website (and I cant decide if your first paragraph is based in sarcasm or not :P)

I did say I didnt want to be nasty, and that included belittling your effort, I was merely pointing out that we couldnt know for sure that the turn around was swift (and I will take your word for the time scale given, and its pretty impressive anyway).

A question, if you will: Are there any plans to include tabbed window sessions in putty? I routinely have 20 or so putty sessions open, and it fills up my taskbar fairly quickly :( Id love a KDE Kterm like solution or something that groups the windows into a container window. Would you accept the code if someone else were to do it?

Screen (1)

orasio (188021) | about 10 years ago | (#9891878)

Screen [gnu.org] might help you, it lets you put several sessions into one. Learning new shortcuts might be a bitch, but it can be very helpful.

Re:Screen (1)

Richard_at_work (517087) | about 10 years ago | (#9897397)

Nah, screen doesnt really help when its other machines you want the sessions to connect to (and you dont want them all origionating from the unix system). I actually use screen heavily for other reasons tho.

Clarification (5, Informative)

SpaceLifeForm (228190) | about 10 years ago | (#9877842)

It's the server that you think you can trust that can execute code on your Putty client.

The writeup is not clear:

The bug may allow servers to use PuTTY to act as a machine that you trust,...

Well, of course you trust your client machine.

Re:Clarification (5, Funny)

whoisjoe (465549) | about 10 years ago | (#9879407)

Actually, my client machine has been acting kind of weird lately. I think it's plotting against me, trying to turn my family and friends against...hey what are you do-OW!

THERE IS NOTHING TO FEAR. ALL IS WELL. NOTHING TO SEE HERE. PLEASE KEEP MOVING.

Re:Clarification (3, Funny)

dstone (191334) | about 10 years ago | (#9879529)

Well, of course you trust your client machine.

Not if my client machine runs Windows.

Re:Clarification (0)

Anonymous Coward | about 10 years ago | (#9890576)

Especially Windows XP, without any servicepack or security updates ;)

Re:Clarification (2, Funny)

AuMatar (183847) | about 10 years ago | (#9882211)

I wouldn't do that Dave.

Putty Question (1, Offtopic)

Gigs (127327) | about 10 years ago | (#9877983)

Does anyone know how to control putty's screen location? I use putty alot and it always starts at the very top of the screen under a toolbar [truelaunchbar.com] I have there.

Re:Putty Question (1)

RevAaron (125240) | about 10 years ago | (#9878475)

You could use a macro package, like Macro Express.

Re:Putty Question (2, Informative)

Gigs (127327) | about 10 years ago | (#9879455)

Thanks... found AutoHotKey [autohotkey.com] while searching for Macro Express and it can be setup to do just what I need.

THANK YOU, THANK YOU, THANK YOU!!!

Re:Putty Question (1)

RevAaron (125240) | about 10 years ago | (#9885363)

...and thanks to you! I've never heard of AutoHotKey, but it looks very nice. At work, we use Macro Express, which is nice in some areas but extremely limited. AHK is OSS and probably more expandable. I've had to write external scripts/programs a fair amount to get around its limitations. :)

Re:Putty Question (1)

Anonymous Coward | about 10 years ago | (#9878610)

maybe you just use some toolbar program that wouldn't allow programs to do that..

Re:Putty Question (0)

Anonymous Coward | about 10 years ago | (#9886734)

meh. even the *windows* toolbar does this. try it yourself. move your toolbar all the way to the top, turn auto-hide off/always on top on and start putty. for me it always starts underneath the toolbar, just far enough you can't grab the titlebar with your mouse. so a quick alt-space-x fixes it, but it's still annoying not being able to control the starting position of the window. hell, even the properties for cmd.exe let you specify the top left position of the window. the only flaw i can think of in putty.

Another Putty Question (1)

Richard_at_work (517087) | about 10 years ago | (#9881847)

Anyone know of any third party tool to 'collect and group' windows in a container window, as I would dearly love to have my 15 or so putty windows act like how KDEs Kterm handles multiple sessions. Basically, when are they going to implement tabbed sessions in putty? :)

Re:Another Putty Question (1)

rpresser (610529) | about 10 years ago | (#9883747)

Overkill method:

* set up or get an account on a linux box
* install an X server on your windows box (e.g. cygwin with X)
* use putty to ssh from your windows box to your linux box, with X forwarding
* start an instance of KTerm, running on the linux box but on the X server of your windows box
* enjoy tabbed kterm windows, and use commandline ssh in each tab

Re:Another Putty Question (1)

Richard_at_work (517087) | about 10 years ago | (#9887198)

That is ludicrously overkill :P You could cut it down by installing KDE within Cygwin, and use it natively. But thats still overkill :P

Recent SSH chatter... (3, Funny)

dpilot (134227) | about 10 years ago | (#9878102)

I've heard lately about a lot more SSH chatter showing up than normal. There's been some speculation about an exploit turning up, soon. Perhaps this is it.

Or maybe there's Yet More To Come.

SSHhhhh (-1, Troll)

Anonymous Coward | about 10 years ago | (#9878237)

I cracked it... with some math even a child could do! Don't tell anyone.

Re:Recent SSH chatter... (3, Informative)

Col. Klink (retired) (11632) | about 10 years ago | (#9878530)

This exploit attacks a client as it conencts to a server. Seeing ssh chatter in your logs means someone is trying to exploit your server.

Re:Recent SSH chatter... (1)

dpilot (134227) | about 10 years ago | (#9878748)

I wondered if they were building an inventory of vulnerable servers, which could also imply vulnerable clients.

Re:Recent SSH chatter... (2, Informative)

Rich (9681) | about 10 years ago | (#9884164)

Someone has been brute forcing ssh passwords - this is likely to be what you're seeing. Check out isc.incidents.org for details.

Re:Recent SSH chatter... (1)

wmaker (701707) | about 10 years ago | (#10003710)

someone should tell the people brute forcing my machine that it works a little better if you put the characters in the password blank, not the user blank.

Re:Recent SSH chatter... (0, Troll)

curtisk (191737) | about 10 years ago | (#9878531)

Waitaminutenow.....are you Tom Ridge [dhs.gov] ?

:)

Re:Recent SSH chatter... (0)

Anonymous Coward | about 10 years ago | (#9880344)

guess the joke was lost on the mods...

Re:Recent SSH chatter... (1, Informative)

Anonymous Coward | about 10 years ago | (#9879035)

Yes, it's an unbelievably lame script that scans for open SSH ports and then tries to login using "guest" and "test". I bet the 31337 script kiddie who put it together is creaming himself from all the attention it's getting.

Hint - if you get hacked by this, you probably deserve it.

It's been thoroughly analysed and doesn't use any exploits old or new. Think of it as an automated retard hunter.

Re:Recent SSH chatter... (1)

dpilot (134227) | about 10 years ago | (#9879253)

I can't quite believe anyone is that lame. Doesn't SSH report some banner info when you try to connect, like this? I'd sooner believe they're trying to collect info than actually try to crack 'guest'.

Re:Recent SSH chatter... (1)

andfarm (534655) | about 10 years ago | (#9881787)

Believe it or not, they actually found some such hosts. The username/password pairs tested were admin/admin, root/root, guest/guest, and test/test.

"Never underestimate the power of human stupidity."

Pint buying (-1, Offtopic)

rjw57 (532004) | about 10 years ago | (#9878326)

Well I for one will be buying Simon a pint for pulling this off so quickly.

Re:Pint buying (0)

Anonymous Coward | about 10 years ago | (#9879061)

Yeah, it's only been around for five years...

(ob disclaimer: I love Putty and owe Simon a night of pints for it, in all honesty. But to make a claim that he fixed the hole expediently is basically meaningless.)

Seriously though (5, Informative)

GigsVT (208848) | about 10 years ago | (#9879598)

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.

Re:Seriously though (-1, Redundant)

Anonymous Coward | about 10 years ago | (#9879758)

I've never run into an upgrade changing the id.

Re:Seriously though (0)

Anonymous Coward | about 10 years ago | (#9879764)

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

I at least try to verify the cause of the host key changing if it is a trusted server. However, most of the time I end up simply removing the associated entry because of reasons explained below.

Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.

arrrggg.... They do that here at work all the time. What's the point of the trust model when you constantly change host keys!

Re:Seriously though (1)

thedillybar (677116) | about 10 years ago | (#9881179)

I've pissed off many admins by e-mailing them everytime they change it without telling me.

Unfortunately, I usually accept it anyway because I have stuff to do and can't verify with the admin immediately.

Re:Seriously though (1)

kris_lang (466170) | about 10 years ago | (#9891758)

Yeah, my sysadmin was pissed when I called her on the phone veryifying that the ssh-key had changed.
She wondered why I was even bothering her. Idiot.
And the last time she did a re-do of the system, she actually sent everyone an email telling them to come to her to get their new passwords: idiot, how do i log in to see THAT email if I don't have my new password.

I also caught her when she changed a back-up client and the read-time-stamp on my mail file got touched daily when it NEVER had been before. She's a loon: she was sure I was hacking something ('cause how else could I have known?) when it turned out Iwas the only used to run "finger" on my login religiously with each login and noted that my mailbox had been accessed without me logging in.
She just finally disallowed telnet last year but still let's her wacky windows-windiots use plain-text pop-mail to check mail and allows ftp.

Re:Seriously though (2, Interesting)

gregfortune (313889) | about 10 years ago | (#9882047)

What I usually do if I don't know for sure is feed the host a batch of incorrect passwords... If one of them lets me in, the host is certainly a fake. If my fake passwords fail, then I send the correct password and if it *doesn't* let me in, I know my password has been comprimised. Not perfect, but admins killing off their keys when they rebuild a machine is pretty lame too.

Re:Seriously though (1)

pthisis (27352) | about 10 years ago | (#9883101)

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

If I know the machine just got wiped out or replaced, I'll hit yes. Otherwise, I'll investigate via outside channels. I've uncovered more than one DNS problem by investigating those messages.

Re:Seriously though (2, Insightful)

menscher (597856) | about 10 years ago | (#9883621)

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

First off, I'm a sysadmin, and I save my hostkeys when I upgrade.

Secondly, my client machines have the server key, so user passwords are not required.

Third, I usually check into the reason. If possible, I log in to a place I would have connected from before. There's only 2-3 machines I regularly log into from random places, and I have their bubble-babble digests memorized. And if I have no other choice, I connect and then immediately do the "ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub" to verify the key matches. If it doesn't, then I would know I'd been caught by a MITM attack. I could immediately su and lock my account and the su account I used to lock myself out (leaving only root).

Are these practical steps? YES! Trust me... there were attempted MITM attacks at Defcon this year. That is one place I would NOT accept an unknown hostkey.

Re:Seriously though (1)

aled (228417) | about 10 years ago | (#9885653)

Yes. No! wait! NO!

Re:Seriously though (0)

Anonymous Coward | about 10 years ago | (#9890752)

I always have someone read me the fingerprint over the phone when it changes. If you don't do that, you should just use rsh and forget about ssh.

What I want to know... (2, Interesting)

Anonymous Coward | about 10 years ago | (#9879919)

Why is it that PuTTY is a production quality app and it's version number is still < 1? Shouldn't we be at a 1.x release by now?

Re:What I want to know... (1)

duffbeer703 (177751) | about 10 years ago | (#9881125)

Windows wasn't production ready for version 2003!

Sorry... couldn't resist.

Simple answers (1)

Slinky Saves the Wor (759676) | about 10 years ago | (#9889963)

Sometimes, version numbers don't mean jack shit. Sometimes, if it's below 1, it doesn't mean anything. Sometimes, if it's 3, it doesn't mean anything. Sometimes, the version numbers are used in a controlled way, based on the roadmap so that given feature will bump version number upwards.

I would prefer the build number as version number :-)

Putty is good... (1)

Ianoo (711633) | about 10 years ago | (#9880087)

But whenever I use Windows, I prefer the command-line SSH program that comes with cygwin. Configuring options for SSH is just a chore when I seem to have learned all the switches by heart.

Why not front page? (4, Interesting)

gmhowell (26755) | about 10 years ago | (#9880248)

Why isn't this on the front page? Oh, right, let's bury news of problems with cool programs, but a minor issue (solved six months ago) in a Microsoft program gets front page mission.

Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.

Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR

This is a tough one to classify (0)

Anonymous Coward | about 10 years ago | (#9880269)

On the one hand, it is important, and it does affect many users. But on the other, there really isn't that much to say about it.

Re:This is a tough one to classify (2, Insightful)

gmhowell (26755) | about 10 years ago | (#9880558)

It is for the former reason that it should be front page. IMNSHO.

Instead, we have 'Microsoft will try blogging service in Japan', ' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.

Re:This is a tough one to classify (1)

5amTheButcher (720031) | about 10 years ago | (#9882104)

' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.

But the defcon thing is totally applicable to daily life! I mean, now everyone can put 10' satellite dishes up on their houses and get 55 mile links to a non-evil broadband provider.

And the hibernation is good for waiting for the homeowners association to finish suing you for the 10' eyesore on the top of your house.

Re:This is a tough one to classify (1)

kris_lang (466170) | about 10 years ago | (#9891868)

I agree with you, this is front page stuff.

I was out on a field visit and my CD wasn't with me, so I hunted down a putty client 'cause they would let me run knoppix on their machines. One that I downloaded let me connect but gave me the wrong key number (I remember the first 4 and the last four digits form seeing it so often) so I gave it a fake password. Downloaded another putty client, gave me the right key, so I put in the right passkey and connected. LAter investigated and re-downloaded the two putty clients at my "wrok-home" and didn't even have to md5sum it, they differed in size by 20k. I'm still investigating the innards to see what kind of man-in-the-middle attack it was trying.

Re:Why not front page? (0)

Anonymous Coward | about 10 years ago | (#9899452)

This is serious, but not critical - and /. is not a security forum, they couldn't possibly report every vulnerability in every app or that'll be everything they do from now on.

Or how often you end up SSH'ing into an unknown box? If you don't, this can only be used if you manage to compromise the server or pull out succesfull MITM attack by dns hijack for example.

Nevertheless, I agree it should be on front page, just because it's so widely used program.

config files? (1)

orn (34773) | about 10 years ago | (#9882102)

Silly question, but where are PuTTY's config files kept? I'd like to keep a copy of the config file on the same USB key as my putty executable, but I'm not sure where they are stored.

Thanks...

Config file export (2, Informative)

orn (34773) | about 10 years ago | (#9882231)

Thanks for the link.

You can export the settings using RegEdit

Start->Run->regedit
Select the SimonTatham key
File->Export
Save the section on your USB key

On a new machine you can just double click on the .reg file and import all keys into the new machine.

Does anyone see any problems with this? Perhaps, you should be sure to _not_ take the RandomSeed key, since you'd like to have more randomness...

Orn

From the FAQ:

A.5.2 Where does PuTTY store its data?

On Windows, PuTTY stores most of its data (saved sessions, SSH host keys) in the Registry. The precise location is

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY

and within that area, saved sessions are stored under Sessions while host keys are stored under SshHostKeys.

PuTTY also requires a random number seed file, to improve the unpredictability of randomly chosen data needed as part of the SSH cryptography. This is stored by default in your Windows home directory (%HOMEDRIVE%\%HOMEPATH%), or in the actual Windows directory (such as C:\WINDOWS) if the home directory doesn't exist, for example if you're using Win95. If you want to change the location of the random number seed file, you can put your chosen pathname in the Registry, at

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Ran dS eedFile

On Unix, PuTTY stores all of this data in a directory ~/.putty.

You know ... (2, Funny)

Sonic McTails (700139) | about 10 years ago | (#9882115)

I was expecting BrICk 1.0 .... (It's a joke, laugh !)

Affects PSCP? (download resume) (1)

eddy (18759) | about 10 years ago | (#9888235)

I have no idea if this affects pscp too, but I've brought my pscp download resume [gazonk.org] patch up to date anyhow. Grabbed the source snapshot [tartarus.org] which I assume post-dates the 0.55 fixes.

Re:Affects PSCP? (download resume) (0)

Anonymous Coward | about 10 years ago | (#9894348)

So you are the guy trying to make a dent in rsync's user base?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>