Serious Security Hole In PuTTY

← Back to Stories (view on slashdot.org)

Serious Security Hole In PuTTY

Posted by timothy on Wednesday August 4, 2004 @12:37AM from the and-now-it's-fixed dept.

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

72 comments

Min score:

Reason:

Sort:

PuTTY tip by Anonymous Coward · 2004-08-04 00:40 · Score: 1, Interesting

Not really related to this particular story, but related to recent versions of PuTTY. If using SSH, you can set up dynamic port forwarding which actually works as a SOCKS5 proxy which can be used by many applications. This means secure email, secure web browsing, secure whatever, wherever you are as long as you have access to SSH.
1. Re:PuTTY tip by Anonymous Coward · 2004-08-04 00:48 · Score: 0
  
  Can you give an example of how to set this up?
2. Re:PuTTY tip by Anonymous Coward · 2004-08-04 01:02 · Score: 5, Informative
  
  Open Putty, Category -> Connection -> SSH -> Tunnels.
  
  In the port forwarding section, add new forwarded port.
  
  Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.
  
  Okay, now you can save your session and start it.
  
  In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.
3. Re:PuTTY tip by Anonymous Coward · 2004-08-04 02:21 · Score: 0
  
  sweet! Thanks!
4. Re:PuTTY tip by Anonymous Coward · 2004-08-04 03:25 · Score: 0
  
  Isnt this only useful if the place you are sshing to can get out on the ports you want to use your app for?
  
  Eg point your browser at port 1080 and make ssh connection to a box, the box needs to then be able to surf on port 80. Also the only encryption is between you and the box not from the box out to tinternet.
  
  any info is nice though :)
5. Re:PuTTY tip by Anonymous Coward · 2004-08-04 03:41 · Score: 1, Informative
  
  Isnt this only useful if the place you are sshing to can get out on the ports you want to use your app for?
  
  Yes, but a lot of servers don't restrict outgoing ports, or it may be YOUR remote server, and you can do what you want with it.
  
  Also the only encryption is between you and the box not from the box out to tinternet.
  
  True, but again, you may be more concerned about your connection from A -> B than from B -> C, especially if A -> B is work/wireless/whatever. At work all people would see is a single connection on port 22, which you could could even move to make it look less like SSH.
6. Re:PuTTY tip by Morpheuso · 2004-08-05 06:32 · Score: 1
  
  Where does it get tunnelled to? Do you then have to do an SSH connection (the "tunnel") to a remote machine in order for the packets to get sent down the tunnel. Then how does the port forwarding work at the other end? Thanks in advance.
7. Re:PuTTY tip by Anonymous Coward · 2004-08-05 13:50 · Score: 0
  
  Your machine connects to the SSH server, then everything your tunneling exits the server. So, for example, if you browse through this proxy, it appears as if someone on the server were browsing.
Nice response time by curtisk · 2004-08-04 00:43 · Score: 4, Insightful

I've used Putty now and again, but I know alot of others that do use it on a daily basis...so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

--
Sehr geehrter Toilettenbenutzer!
1. Re:Nice response time by Richard_at_work · 2004-08-04 07:39 · Score: 3, Interesting
  
  so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated
  
  Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).
2. Re:Nice response time by Anonymous Coward · 2004-08-04 15:50 · Score: 0
  
  to the team 6 months ago, and only fixed now :).
  
  At least they fixed it. Some folks do not do that with the code they get paid to write...
  
  Big thanks to the puTTY devs...
3. Re:Nice response time by Simon+Tatham · 2004-08-05 02:56 · Score: 4, Informative
  
  That's true, we didn't mention that anywhere, did we?
  
  We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).
  
  But of course you've only got my word for that...
4. Re:Nice response time by Simon+Tatham · 2004-08-05 03:04 · Score: 1
  
  No, I tell a lie, sorry. The Core advisory does mention it: we were notified on 2004-07-28 and published a fix on 2004-08-03.
5. Re:Nice response time by Richard_at_work · 2004-08-05 03:09 · Score: 1
  
  Well, it wasnt in the writeup and it isnt immediately obvious on your website (and I cant decide if your first paragraph is based in sarcasm or not :P)
  
  I did say I didnt want to be nasty, and that included belittling your effort, I was merely pointing out that we couldnt know for sure that the turn around was swift (and I will take your word for the time scale given, and its pretty impressive anyway).
  
  A question, if you will: Are there any plans to include tabbed window sessions in putty? I routinely have 20 or so putty sessions open, and it fills up my taskbar fairly quickly :( Id love a KDE Kterm like solution or something that groups the windows into a container window. Would you accept the code if someone else were to do it?
Clarification by SpaceLifeForm · 2004-08-04 00:48 · Score: 5, Informative

It's the server that you think you can trust that can execute code on your Putty client.
The writeup is not clear:
The bug may allow servers to use PuTTY to act as a machine that you trust,...
Well, of course you trust your client machine.

--
You are being MICROattacked, from various angles, in a SOFT manner.
1. Re:Clarification by whoisjoe · 2004-08-04 03:35 · Score: 5, Funny
  
  Actually, my client machine has been acting kind of weird lately. I think it's plotting against me, trying to turn my family and friends against...hey what are you do-OW!
  
  THERE IS NOTHING TO FEAR. ALL IS WELL. NOTHING TO SEE HERE. PLEASE KEEP MOVING.
2. Re:Clarification by dstone · 2004-08-04 03:44 · Score: 3, Funny
  
  Well, of course you trust your client machine.
  
  Not if my client machine runs Windows.
3. Re:Clarification by AuMatar · 2004-08-04 08:04 · Score: 2, Funny
  
  I wouldn't do that Dave.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
4. Re:Clarification by Anonymous Coward · 2004-08-05 05:14 · Score: 0
  
  Especially Windows XP, without any servicepack or security updates ;)
Putty Question by Gigs · 2004-08-04 01:05 · Score: 1, Offtopic

Does anyone know how to control putty's screen location? I use putty alot and it always starts at the very top of the screen under a toolbar I have there.
1. Re:Putty Question by RevAaron · 2004-08-04 02:00 · Score: 1
  
  You could use a macro package, like Macro Express.
  
  --
  
  Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
2. Re:Putty Question by Anonymous Coward · 2004-08-04 02:16 · Score: 1
  
  maybe you just use some toolbar program that wouldn't allow programs to do that..
3. Re:Putty Question by Gigs · 2004-08-04 03:38 · Score: 2, Informative
  
  Thanks... found AutoHotKey while searching for Macro Express and it can be setup to do just what I need.
  
  THANK YOU, THANK YOU, THANK YOU!!!
4. Re:Putty Question by RevAaron · 2004-08-04 13:49 · Score: 1
  
  ...and thanks to you! I've never heard of AutoHotKey, but it looks very nice. At work, we use Macro Express, which is nice in some areas but extremely limited. AHK is OSS and probably more expandable. I've had to write external scripts/programs a fair amount to get around its limitations. :)
  
  --
  
  Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
5. Re:Putty Question by Anonymous Coward · 2004-08-04 19:35 · Score: 0
  
  meh. even the *windows* toolbar does this. try it yourself. move your toolbar all the way to the top, turn auto-hide off/always on top on and start putty. for me it always starts underneath the toolbar, just far enough you can't grab the titlebar with your mouse. so a quick alt-space-x fixes it, but it's still annoying not being able to control the starting position of the window. hell, even the properties for cmd.exe let you specify the top left position of the window. the only flaw i can think of in putty.
Recent SSH chatter... by dpilot · 2004-08-04 01:21 · Score: 3, Funny

I've heard lately about a lot more SSH chatter showing up than normal. There's been some speculation about an exploit turning up, soon. Perhaps this is it.

Or maybe there's Yet More To Come.

--
The living have better things to do than to continue hating the dead.
1. Re:Recent SSH chatter... by Col.+Klink+(retired) · 2004-08-04 02:06 · Score: 3, Informative
  
  This exploit attacks a client as it conencts to a server. Seeing ssh chatter in your logs means someone is trying to exploit your server.
  
  --
  -- Don't Tase me, bro!
2. Re:Recent SSH chatter... by curtisk · 2004-08-04 02:06 · Score: 0, Troll
  
  Waitaminutenow.....are you Tom Ridge?
  :)
  
  --
  Sehr geehrter Toilettenbenutzer!
3. Re:Recent SSH chatter... by dpilot · 2004-08-04 02:29 · Score: 1
  
  I wondered if they were building an inventory of vulnerable servers, which could also imply vulnerable clients.
  
  --
  The living have better things to do than to continue hating the dead.
4. Re:Recent SSH chatter... by Anonymous Coward · 2004-08-04 02:59 · Score: 1, Informative
  
  Yes, it's an unbelievably lame script that scans for open SSH ports and then tries to login using "guest" and "test". I bet the 31337 script kiddie who put it together is creaming himself from all the attention it's getting.
  
  Hint - if you get hacked by this, you probably deserve it.
  
  It's been thoroughly analysed and doesn't use any exploits old or new. Think of it as an automated retard hunter.
5. Re:Recent SSH chatter... by dpilot · 2004-08-04 03:21 · Score: 1
  
  I can't quite believe anyone is that lame. Doesn't SSH report some banner info when you try to connect, like this? I'd sooner believe they're trying to collect info than actually try to crack 'guest'.
  
  --
  The living have better things to do than to continue hating the dead.
6. Re:Recent SSH chatter... by Anonymous Coward · 2004-08-04 04:58 · Score: 0
  
  guess the joke was lost on the mods...
7. Re:Recent SSH chatter... by andfarm · 2004-08-04 07:18 · Score: 1
  
  Believe it or not, they actually found some such hosts. The username/password pairs tested were admin/admin, root/root, guest/guest, and test/test.
  "Never underestimate the power of human stupidity."
  
  --
  TANSTAAFI: There Ain't No Such Thing As A Free iPod.
8. Re:Recent SSH chatter... by Rich · 2004-08-04 11:08 · Score: 2, Informative
  
  Someone has been brute forcing ssh passwords - this is likely to be what you're seeing. Check out isc.incidents.org for details.
9. Re:Recent SSH chatter... by wmaker · 2004-08-18 05:42 · Score: 1
  
  someone should tell the people brute forcing my machine that it works a little better if you put the characters in the password blank, not the user blank.
  
  --
  
  What is slashdot?
Re:Pint buying by Anonymous Coward · 2004-08-04 03:03 · Score: 0

Yeah, it's only been around for five years...

(ob disclaimer: I love Putty and owe Simon a night of pints for it, in all honesty. But to make a claim that he fixed the hole expediently is basically meaningless.)
Mirrors by MikeSweetser · 2004-08-04 03:09 · Score: 3, Informative

It appears the main PuTTY site has been Slashdotted: here's a few more links:

http://putty.obengelb.de/
http://www.puttyssh.org/
http://putty.activalink.net/

And a nice mirrors list.

Mike
Seriously though by GigsVT · 2004-08-04 03:51 · Score: 5, Informative

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.

--
I've had enough abrasive sigs. Kittens are cute and fuzzy.
1. Re:Seriously though by Anonymous Coward · 2004-08-04 04:07 · Score: 0
  
  Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?
  
  I at least try to verify the cause of the host key changing if it is a trusted server. However, most of the time I end up simply removing the associated entry because of reasons explained below.
  
  Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.
  
  arrrggg.... They do that here at work all the time. What's the point of the trust model when you constantly change host keys!
2. Re:Seriously though by thedillybar · 2004-08-04 06:13 · Score: 1
  
  I've pissed off many admins by e-mailing them everytime they change it without telling me.
  Unfortunately, I usually accept it anyway because I have stuff to do and can't verify with the admin immediately.
3. Re:Seriously though by gregfortune · 2004-08-04 07:45 · Score: 2, Interesting
  
  What I usually do if I don't know for sure is feed the host a batch of incorrect passwords... If one of them lets me in, the host is certainly a fake. If my fake passwords fail, then I send the correct password and if it *doesn't* let me in, I know my password has been comprimised. Not perfect, but admins killing off their keys when they rebuild a machine is pretty lame too.
4. Re:Seriously though by pthisis · 2004-08-04 09:32 · Score: 1
  
  Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?
  
  If I know the machine just got wiped out or replaced, I'll hit yes. Otherwise, I'll investigate via outside channels. I've uncovered more than one DNS problem by investigating those messages.
  
  --
  rage, rage against the dying of the light
5. Re:Seriously though by menscher · 2004-08-04 10:12 · Score: 2, Insightful
  
  Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?
  First off, I'm a sysadmin, and I save my hostkeys when I upgrade.
  Secondly, my client machines have the server key, so user passwords are not required.
  Third, I usually check into the reason. If possible, I log in to a place I would have connected from before. There's only 2-3 machines I regularly log into from random places, and I have their bubble-babble digests memorized. And if I have no other choice, I connect and then immediately do the "ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub" to verify the key matches. If it doesn't, then I would know I'd been caught by a MITM attack. I could immediately su and lock my account and the su account I used to lock myself out (leaving only root).
  Are these practical steps? YES! Trust me... there were attempted MITM attacks at Defcon this year. That is one place I would NOT accept an unknown hostkey.
6. Re:Seriously though by aled · 2004-08-04 14:49 · Score: 1
  
  Yes. No! wait! NO!
  
  --
  
  "I think this line is mostly filler"
7. Re:Seriously though by Anonymous Coward · 2004-08-05 05:26 · Score: 0
  
  I always have someone read me the fingerprint over the phone when it changes. If you don't do that, you should just use rsh and forget about ssh.
8. Re:Seriously though by kris_lang · 2004-08-05 06:38 · Score: 1
  
  Yeah, my sysadmin was pissed when I called her on the phone veryifying that the ssh-key had changed.
  She wondered why I was even bothering her. Idiot.
  And the last time she did a re-do of the system, she actually sent everyone an email telling them to come to her to get their new passwords: idiot, how do i log in to see THAT email if I don't have my new password.
  
  I also caught her when she changed a back-up client and the read-time-stamp on my mail file got touched daily when it NEVER had been before. She's a loon: she was sure I was hacking something ('cause how else could I have known?) when it turned out Iwas the only used to run "finger" on my login religiously with each login and noted that my mailbox had been accessed without me logging in.
  She just finally disallowed telnet last year but still let's her wacky windows-windiots use plain-text pop-mail to check mail and allows ftp.
What I want to know... by Anonymous Coward · 2004-08-04 04:19 · Score: 2, Interesting

Why is it that PuTTY is a production quality app and it's version number is still < 1? Shouldn't we be at a 1.x release by now?
1. Re:What I want to know... by duffbeer703 · 2004-08-04 06:07 · Score: 1
  
  Windows wasn't production ready for version 2003!
  
  Sorry... couldn't resist.
  
  --
  Conformity is the jailer of freedom and enemy of growth. -JFK
Putty is good... by Ianoo · 2004-08-04 04:33 · Score: 1

But whenever I use Windows, I prefer the command-line SSH program that comes with cygwin. Configuring options for SSH is just a chore when I seem to have learned all the switches by heart.
Why not front page? by gmhowell · 2004-08-04 04:49 · Score: 4, Interesting

Why isn't this on the front page? Oh, right, let's bury news of problems with cool programs, but a minor issue (solved six months ago) in a Microsoft program gets front page mission.

Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.

Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR

--
Jesus was all right but his disciples were thick and ordinary. -John Lennon
1. Re:Why not front page? by Anonymous Coward · 2004-08-06 03:43 · Score: 0
  
  This is serious, but not critical - and /. is not a security forum, they couldn't possibly report every vulnerability in every app or that'll be everything they do from now on.
  
  Or how often you end up SSH'ing into an unknown box? If you don't, this can only be used if you manage to compromise the server or pull out succesfull MITM attack by dns hijack for example.
  
  Nevertheless, I agree it should be on front page, just because it's so widely used program.
This is a tough one to classify by Anonymous Coward · 2004-08-04 04:51 · Score: 0

On the one hand, it is important, and it does affect many users. But on the other, there really isn't that much to say about it.
1. Re:This is a tough one to classify by gmhowell · 2004-08-04 05:18 · Score: 2, Insightful
  
  It is for the former reason that it should be front page. IMNSHO.
  
  Instead, we have 'Microsoft will try blogging service in Japan', ' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
2. Re:This is a tough one to classify by 5amTheButcher · 2004-08-04 07:51 · Score: 1
  
  ' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.
  
  But the defcon thing is totally applicable to daily life! I mean, now everyone can put 10' satellite dishes up on their houses and get 55 mile links to a non-evil broadband provider.
  
  And the hibernation is good for waiting for the homeowners association to finish suing you for the 10' eyesore on the top of your house.
  
  --
  Cash prize, guaranteed!
3. Re:This is a tough one to classify by kris_lang · 2004-08-05 06:44 · Score: 1
  
  I agree with you, this is front page stuff.
  
  I was out on a field visit and my CD wasn't with me, so I hunted down a putty client 'cause they would let me run knoppix on their machines. One that I downloaded let me connect but gave me the wrong key number (I remember the first 4 and the last four digits form seeing it so often) so I gave it a fake password. Downloaded another putty client, gave me the right key, so I put in the right passkey and connected. LAter investigated and re-downloaded the two putty clients at my "wrok-home" and didn't even have to md5sum it, they differed in size by 20k. I'm still investigating the innards to see what kind of man-in-the-middle attack it was trying.
Another Putty Question by Richard_at_work · 2004-08-04 07:24 · Score: 1

Anyone know of any third party tool to 'collect and group' windows in a container window, as I would dearly love to have my 15 or so putty windows act like how KDEs Kterm handles multiple sessions. Basically, when are they going to implement tabbed sessions in putty? :)
1. Re:Another Putty Question by rpresser · 2004-08-04 10:25 · Score: 1
  
  Overkill method:
  
  * set up or get an account on a linux box
  * install an X server on your windows box (e.g. cygwin with X)
  * use putty to ssh from your windows box to your linux box, with X forwarding
  * start an instance of KTerm, running on the linux box but on the X server of your windows box
  * enjoy tabbed kterm windows, and use commandline ssh in each tab
2. Re:Another Putty Question by Richard_at_work · 2004-08-04 22:23 · Score: 1
  
  That is ludicrously overkill :P You could cut it down by installing KDE within Cygwin, and use it natively. But thats still overkill :P
Re:PuTTY tip (WinSCP, too?) by mikehoskins · 2004-08-04 07:48 · Score: 2, Informative

I don't know if it's been posted, yet, otherwise mod me down as redunant -- I am prepared for your wrath.

What about WinSCP, which used PuTTY DLLs'?
config files? by orn · 2004-08-04 07:51 · Score: 1

Silly question, but where are PuTTY's config files kept? I'd like to keep a copy of the config file on the same USB key as my putty executable, but I'm not sure where they are stored.

Thanks...

--
1. 2.
1. Re:config files? by 5amTheButcher · 2004-08-04 07:54 · Score: 2, Informative
  
  Have you tried reading the FAQ?
  
  I mean, it's really not *that* hard.
  
  --
  Cash prize, guaranteed!
You know ... by Sonic+McTails · 2004-08-04 07:53 · Score: 2, Funny

I was expecting BrICk 1.0 .... (It's a joke, laugh !)

--
This signature was left intentionally blank.
Config file export by orn · 2004-08-04 08:06 · Score: 2, Informative

Thanks for the link.

You can export the settings using RegEdit

Start->Run->regedit
Select the SimonTatham key
File->Export
Save the section on your USB key

On a new machine you can just double click on the .reg file and import all keys into the new machine.

Does anyone see any problems with this? Perhaps, you should be sure to _not_ take the RandomSeed key, since you'd like to have more randomness...

Orn

From the FAQ:

A.5.2 Where does PuTTY store its data?

On Windows, PuTTY stores most of its data (saved sessions, SSH host keys) in the Registry. The precise location is

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY

and within that area, saved sessions are stored under Sessions while host keys are stored under SshHostKeys.

PuTTY also requires a random number seed file, to improve the unpredictability of randomly chosen data needed as part of the SSH cryptography. This is stored by default in your Windows home directory (%HOMEDRIVE%\%HOMEPATH%), or in the actual Windows directory (such as C:\WINDOWS) if the home directory doesn't exist, for example if you're using Win95. If you want to change the location of the random number seed file, you can put your chosen pathname in the Registry, at

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Ran dS eedFile

On Unix, PuTTY stores all of this data in a directory ~/.putty.

--
1. 2.
1. Re:Config file export by orn · 2004-08-04 08:11 · Score: 2, Informative
  
  Hmm.. further exploration found an alternative method for doing this here:
  
  http://www.tartarus.org/~simon/puttydoc/Chapter4.h tml#S4.21
  
  --
  1. 2.
Affects PSCP? (download resume) by eddy · 2004-08-05 01:50 · Score: 1

I have no idea if this affects pscp too, but I've brought my pscp download resume patch up to date anyhow. Grabbed the source snapshot which I assume post-dates the 0.55 fixes.

--
Belief is the currency of delusion.
1. Re:Affects PSCP? (download resume) by Anonymous Coward · 2004-08-05 10:24 · Score: 0
  
  So you are the guy trying to make a dent in rsync's user base?
Simple answers by Slinky+Saves+the+Wor · 2004-08-05 04:22 · Score: 1

Sometimes, version numbers don't mean jack shit. Sometimes, if it's below 1, it doesn't mean anything. Sometimes, if it's 3, it doesn't mean anything. Sometimes, the version numbers are used in a controlled way, based on the roadmap so that given feature will bump version number upwards.

I would prefer the build number as version number :-)

--
I do not moderate.
Screen by orasio · 2004-08-05 06:45 · Score: 1

Screen might help you, it lets you put several sessions into one. Learning new shortcuts might be a bitch, but it can be very helpful.
1. Re:Screen by Richard_at_work · 2004-08-05 20:02 · Score: 1
  
  Nah, screen doesnt really help when its other machines you want the sessions to connect to (and you dont want them all origionating from the unix system). I actually use screen heavily for other reasons tho.