Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Man in the Middle Attack Vulnerability #9

Open
zschuessler opened this issue Jan 22, 2016 · 1 comment
Open

Man in the Middle Attack Vulnerability #9

zschuessler opened this issue Jan 22, 2016 · 1 comment

Comments

@zschuessler
Copy link

Man in the middle attack vector found in sshconnect.c

Duplicate:

  1. Add ssh key for remote server, but add wrong IP
  2. ssh now prompts: Are you sure you want to continue connecting? yes/no
  3. User enters yes but then realizes, oh boy, it's a man in the middle attack, and yet the backspace key is broken (thanks, peanut butter). So then ultimately submits yes_waitnobackspaceisbroken
  4. Validation fails, ssh accepts the yes answer. The database and files are hacked and everything lost. The CTO writes a blog post on Medium as a postmortem, but loses entire customer base. Great, ssh.

See line here:

obfuscated-openssh/sshconnect.c

Line 570 in ca93a2c

const char *msg, *again = "Please type 'yes' or 'no': ";

The check for the yes value only checks to see that yes is at position 0. If the user types in yesohwaitmybackspacekeyisbroken_imeantno they will be potentially vulnerable to a man in the middle attack, not knowing the validation has failed them.

Scary stuff.
@zypA13510
Copy link

zypA13510 commented Jun 26, 2019
edited
Loading

  1. Whether or not you can delete keystrokes in the buffer via backspace is determined by multiple factors.

  2. Sorry, but I failed to see the connection how that makes it a MITM vulnerability.

    • If you want to quit the ssh client immediately during host key confirmation, use Ctrl+C or kill command.
    • If you would like to remove a public key from the known hosts, read the manual of ssh-keygen.
    • If you realized but not knowing the validation has failed and keeps on entering your password*, the software is not to be blamed, you are.
      *: In key-based authentication, your private key is never sent to the server/attacker. Only password-based authentication may be affected by your proposed MITM scheme.

  3. The line you're referring to is from pristine OpenSSH 5.2 source [git blame]. I failed to find any related CVE on MITM vulnerability for OpenSSH 5.2. Even if it has known vulnerabilities, I wouldn't be surprised, given that it's released almost 10 years ago.

  4. It would be responsible to report any security issue privately with the maintainers instead of in a public place like GitHub issues.

Btw, this project is long dead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zschuessler @zypA13510