Slashdot Mirror
Serious Security Hole In PuTTY
Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."
The writeup is not clear:
The bug may allow servers to use PuTTY to act as a machine that you trust,...
Well, of course you trust your client machine.
You are being MICROattacked, from various angles, in a SOFT manner.
Open Putty, Category -> Connection -> SSH -> Tunnels.
In the port forwarding section, add new forwarded port.
Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.
Okay, now you can save your session and start it.
In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.
This exploit attacks a client as it conencts to a server. Seeing ssh chatter in your logs means someone is trying to exploit your server.
-- Don't Tase me, bro!
Yes, it's an unbelievably lame script that scans for open SSH ports and then tries to login using "guest" and "test". I bet the 31337 script kiddie who put it together is creaming himself from all the attention it's getting.
Hint - if you get hacked by this, you probably deserve it.
It's been thoroughly analysed and doesn't use any exploits old or new. Think of it as an automated retard hunter.
It appears the main PuTTY site has been Slashdotted: here's a few more links:
http://putty.obengelb.de/
http://www.puttyssh.org/
http://putty.activalink.net/
And a nice mirrors list.
Mike
Thanks... found AutoHotKey while searching for Macro Express and it can be setup to do just what I need.
THANK YOU, THANK YOU, THANK YOU!!!
Isnt this only useful if the place you are sshing to can get out on the ports you want to use your app for?
Yes, but a lot of servers don't restrict outgoing ports, or it may be YOUR remote server, and you can do what you want with it.
Also the only encryption is between you and the box not from the box out to tinternet.
True, but again, you may be more concerned about your connection from A -> B than from B -> C, especially if A -> B is work/wireless/whatever. At work all people would see is a single connection on port 22, which you could could even move to make it look less like SSH.
Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?
Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I don't know if it's been posted, yet, otherwise mod me down as redunant -- I am prepared for your wrath.
What about WinSCP, which used PuTTY DLLs'?
Have you tried reading the FAQ?
I mean, it's really not *that* hard.
Cash prize, guaranteed!
Thanks for the link.
.reg file and import all keys into the new machine.
n dS eedFile
You can export the settings using RegEdit
Start->Run->regedit
Select the SimonTatham key
File->Export
Save the section on your USB key
On a new machine you can just double click on the
Does anyone see any problems with this? Perhaps, you should be sure to _not_ take the RandomSeed key, since you'd like to have more randomness...
Orn
From the FAQ:
A.5.2 Where does PuTTY store its data?
On Windows, PuTTY stores most of its data (saved sessions, SSH host keys) in the Registry. The precise location is
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
and within that area, saved sessions are stored under Sessions while host keys are stored under SshHostKeys.
PuTTY also requires a random number seed file, to improve the unpredictability of randomly chosen data needed as part of the SSH cryptography. This is stored by default in your Windows home directory (%HOMEDRIVE%\%HOMEPATH%), or in the actual Windows directory (such as C:\WINDOWS) if the home directory doesn't exist, for example if you're using Win95. If you want to change the location of the random number seed file, you can put your chosen pathname in the Registry, at
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Ra
On Unix, PuTTY stores all of this data in a directory ~/.putty.
1. 2.
Someone has been brute forcing ssh passwords - this is likely to be what you're seeing. Check out isc.incidents.org for details.
That's true, we didn't mention that anywhere, did we?
We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).
But of course you've only got my word for that...