Serious Security Hole In PuTTY

← Back to Stories (view on slashdot.org)

Serious Security Hole In PuTTY

Posted by timothy on Wednesday August 4, 2004 @12:37AM from the and-now-it's-fixed dept.

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

24 of 72 comments (clear)

Min score:

Reason:

Sort:

Nice response time by curtisk · 2004-08-04 00:43 · Score: 4, Insightful

I've used Putty now and again, but I know alot of others that do use it on a daily basis...so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

--
Sehr geehrter Toilettenbenutzer!
1. Re:Nice response time by Richard_at_work · 2004-08-04 07:39 · Score: 3, Interesting
  
  so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated
  
  Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).
2. Re:Nice response time by Simon+Tatham · 2004-08-05 02:56 · Score: 4, Informative
  
  That's true, we didn't mention that anywhere, did we?
  
  We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).
  
  But of course you've only got my word for that...
Clarification by SpaceLifeForm · 2004-08-04 00:48 · Score: 5, Informative

It's the server that you think you can trust that can execute code on your Putty client.
The writeup is not clear:
The bug may allow servers to use PuTTY to act as a machine that you trust,...
Well, of course you trust your client machine.

--
You are being MICROattacked, from various angles, in a SOFT manner.
1. Re:Clarification by whoisjoe · 2004-08-04 03:35 · Score: 5, Funny
  
  Actually, my client machine has been acting kind of weird lately. I think it's plotting against me, trying to turn my family and friends against...hey what are you do-OW!
  
  THERE IS NOTHING TO FEAR. ALL IS WELL. NOTHING TO SEE HERE. PLEASE KEEP MOVING.
2. Re:Clarification by dstone · 2004-08-04 03:44 · Score: 3, Funny
  
  Well, of course you trust your client machine.
  
  Not if my client machine runs Windows.
3. Re:Clarification by AuMatar · 2004-08-04 08:04 · Score: 2, Funny
  
  I wouldn't do that Dave.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
Re:PuTTY tip by Anonymous Coward · 2004-08-04 01:02 · Score: 5, Informative

Open Putty, Category -> Connection -> SSH -> Tunnels.

In the port forwarding section, add new forwarded port.

Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.

Okay, now you can save your session and start it.

In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.
Recent SSH chatter... by dpilot · 2004-08-04 01:21 · Score: 3, Funny

I've heard lately about a lot more SSH chatter showing up than normal. There's been some speculation about an exploit turning up, soon. Perhaps this is it.

Or maybe there's Yet More To Come.

--
The living have better things to do than to continue hating the dead.
1. Re:Recent SSH chatter... by Col.+Klink+(retired) · 2004-08-04 02:06 · Score: 3, Informative
  
  This exploit attacks a client as it conencts to a server. Seeing ssh chatter in your logs means someone is trying to exploit your server.
  
  --
  -- Don't Tase me, bro!
2. Re:Recent SSH chatter... by Rich · 2004-08-04 11:08 · Score: 2, Informative
  
  Someone has been brute forcing ssh passwords - this is likely to be what you're seeing. Check out isc.incidents.org for details.
Mirrors by MikeSweetser · 2004-08-04 03:09 · Score: 3, Informative

It appears the main PuTTY site has been Slashdotted: here's a few more links:

http://putty.obengelb.de/
http://www.puttyssh.org/
http://putty.activalink.net/

And a nice mirrors list.

Mike
Re:Putty Question by Gigs · 2004-08-04 03:38 · Score: 2, Informative

Thanks... found AutoHotKey while searching for Macro Express and it can be setup to do just what I need.

THANK YOU, THANK YOU, THANK YOU!!!
Seriously though by GigsVT · 2004-08-04 03:51 · Score: 5, Informative

Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.

--
I've had enough abrasive sigs. Kittens are cute and fuzzy.
1. Re:Seriously though by gregfortune · 2004-08-04 07:45 · Score: 2, Interesting
  
  What I usually do if I don't know for sure is feed the host a batch of incorrect passwords... If one of them lets me in, the host is certainly a fake. If my fake passwords fail, then I send the correct password and if it *doesn't* let me in, I know my password has been comprimised. Not perfect, but admins killing off their keys when they rebuild a machine is pretty lame too.
2. Re:Seriously though by menscher · 2004-08-04 10:12 · Score: 2, Insightful
  
  Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?
  First off, I'm a sysadmin, and I save my hostkeys when I upgrade.
  Secondly, my client machines have the server key, so user passwords are not required.
  Third, I usually check into the reason. If possible, I log in to a place I would have connected from before. There's only 2-3 machines I regularly log into from random places, and I have their bubble-babble digests memorized. And if I have no other choice, I connect and then immediately do the "ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub" to verify the key matches. If it doesn't, then I would know I'd been caught by a MITM attack. I could immediately su and lock my account and the su account I used to lock myself out (leaving only root).
  Are these practical steps? YES! Trust me... there were attempted MITM attacks at Defcon this year. That is one place I would NOT accept an unknown hostkey.
What I want to know... by Anonymous Coward · 2004-08-04 04:19 · Score: 2, Interesting

Why is it that PuTTY is a production quality app and it's version number is still < 1? Shouldn't we be at a 1.x release by now?
Why not front page? by gmhowell · 2004-08-04 04:49 · Score: 4, Interesting

Why isn't this on the front page? Oh, right, let's bury news of problems with cool programs, but a minor issue (solved six months ago) in a Microsoft program gets front page mission.

Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.

Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR

--
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Re:This is a tough one to classify by gmhowell · 2004-08-04 05:18 · Score: 2, Insightful

It is for the former reason that it should be front page. IMNSHO.

Instead, we have 'Microsoft will try blogging service in Japan', ' ESA To Study Human Hibernation', and 'DEFCON WiFi Shootout Winners Set A Land Record'.

--
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Re:PuTTY tip (WinSCP, too?) by mikehoskins · 2004-08-04 07:48 · Score: 2, Informative

I don't know if it's been posted, yet, otherwise mod me down as redunant -- I am prepared for your wrath.

What about WinSCP, which used PuTTY DLLs'?
You know ... by Sonic+McTails · 2004-08-04 07:53 · Score: 2, Funny

I was expecting BrICk 1.0 .... (It's a joke, laugh !)

--
This signature was left intentionally blank.
Re:config files? by 5amTheButcher · 2004-08-04 07:54 · Score: 2, Informative

Have you tried reading the FAQ?

I mean, it's really not *that* hard.

--
Cash prize, guaranteed!
Config file export by orn · 2004-08-04 08:06 · Score: 2, Informative

Thanks for the link.

You can export the settings using RegEdit

Start->Run->regedit
Select the SimonTatham key
File->Export
Save the section on your USB key

On a new machine you can just double click on the .reg file and import all keys into the new machine.

Does anyone see any problems with this? Perhaps, you should be sure to _not_ take the RandomSeed key, since you'd like to have more randomness...

Orn

From the FAQ:

A.5.2 Where does PuTTY store its data?

On Windows, PuTTY stores most of its data (saved sessions, SSH host keys) in the Registry. The precise location is

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY

and within that area, saved sessions are stored under Sessions while host keys are stored under SshHostKeys.

PuTTY also requires a random number seed file, to improve the unpredictability of randomly chosen data needed as part of the SSH cryptography. This is stored by default in your Windows home directory (%HOMEDRIVE%\%HOMEPATH%), or in the actual Windows directory (such as C:\WINDOWS) if the home directory doesn't exist, for example if you're using Win95. If you want to change the location of the random number seed file, you can put your chosen pathname in the Registry, at

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Ran dS eedFile

On Unix, PuTTY stores all of this data in a directory ~/.putty.

--
1. 2.
1. Re:Config file export by orn · 2004-08-04 08:11 · Score: 2, Informative
  
  Hmm.. further exploration found an alternative method for doing this here:
  
  http://www.tartarus.org/~simon/puttydoc/Chapter4.h tml#S4.21
  
  --
  1. 2.