Forgot your password?
typodupeerror
Encryption Security Operating Systems Software Windows

Serious Security Hole In PuTTY 72

Posted by timothy
from the and-now-it's-fixed dept.
Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."
This discussion has been archived. No new comments can be posted.

Serious Security Hole In PuTTY

Comments Filter:
  • PuTTY tip (Score:1, Interesting)

    by Anonymous Coward
    Not really related to this particular story, but related to recent versions of PuTTY. If using SSH, you can set up dynamic port forwarding which actually works as a SOCKS5 proxy which can be used by many applications. This means secure email, secure web browsing, secure whatever, wherever you are as long as you have access to SSH.
    • I don't know if it's been posted, yet, otherwise mod me down as redunant -- I am prepared for your wrath.

      What about WinSCP, which used PuTTY DLLs'?
  • Nice response time (Score:5, Insightful)

    by curtisk (191737) on Wednesday August 04, 2004 @08:43AM (#9877811) Homepage Journal
    I've used Putty now and again, but I know alot of others that do use it on a daily basis...so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated
    • by Richard_at_work (517087) <richardprice&gmail,com> on Wednesday August 04, 2004 @03:39PM (#9881994)

      so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

      Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).

      • by Simon Tatham (66941) on Thursday August 05, 2004 @10:56AM (#9888966) Homepage
        That's true, we didn't mention that anywhere, did we?

        We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).

        But of course you've only got my word for that...
        • No, I tell a lie, sorry. The Core advisory [coresecurity.com] does mention it: we were notified on 2004-07-28 and published a fix on 2004-08-03.
        • Well, it wasnt in the writeup and it isnt immediately obvious on your website (and I cant decide if your first paragraph is based in sarcasm or not :P)

          I did say I didnt want to be nasty, and that included belittling your effort, I was merely pointing out that we couldnt know for sure that the turn around was swift (and I will take your word for the time scale given, and its pretty impressive anyway).

          A question, if you will: Are there any plans to include tabbed window sessions in putty? I routinely
          • by orasio (188021)
            Screen [gnu.org] might help you, it lets you put several sessions into one. Learning new shortcuts might be a bitch, but it can be very helpful.
            • Nah, screen doesnt really help when its other machines you want the sessions to connect to (and you dont want them all origionating from the unix system). I actually use screen heavily for other reasons tho.
  • Clarification (Score:5, Informative)

    by SpaceLifeForm (228190) on Wednesday August 04, 2004 @08:48AM (#9877842)
    It's the server that you think you can trust that can execute code on your Putty client.

    The writeup is not clear:

    The bug may allow servers to use PuTTY to act as a machine that you trust,...

    Well, of course you trust your client machine.

  • Putty Question (Score:1, Offtopic)

    by Gigs (127327)
    Does anyone know how to control putty's screen location? I use putty alot and it always starts at the very top of the screen under a toolbar [truelaunchbar.com] I have there.
    • You could use a macro package, like Macro Express.
      • Re:Putty Question (Score:3, Informative)

        by Gigs (127327)
        Thanks... found AutoHotKey [autohotkey.com] while searching for Macro Express and it can be setup to do just what I need.

        THANK YOU, THANK YOU, THANK YOU!!!

        • ...and thanks to you! I've never heard of AutoHotKey, but it looks very nice. At work, we use Macro Express, which is nice in some areas but extremely limited. AHK is OSS and probably more expandable. I've had to write external scripts/programs a fair amount to get around its limitations. :)
    • by Anonymous Coward
      maybe you just use some toolbar program that wouldn't allow programs to do that..
    • Anyone know of any third party tool to 'collect and group' windows in a container window, as I would dearly love to have my 15 or so putty windows act like how KDEs Kterm handles multiple sessions. Basically, when are they going to implement tabbed sessions in putty? :)
      • Overkill method:

        * set up or get an account on a linux box
        * install an X server on your windows box (e.g. cygwin with X)
        * use putty to ssh from your windows box to your linux box, with X forwarding
        * start an instance of KTerm, running on the linux box but on the X server of your windows box
        * enjoy tabbed kterm windows, and use commandline ssh in each tab

  • by dpilot (134227) on Wednesday August 04, 2004 @09:21AM (#9878102) Homepage Journal
    I've heard lately about a lot more SSH chatter showing up than normal. There's been some speculation about an exploit turning up, soon. Perhaps this is it.

    Or maybe there's Yet More To Come.
  • Mirrors (Score:3, Informative)

    by MikeSweetser (163852) * on Wednesday August 04, 2004 @11:09AM (#9879127) Homepage
    It appears the main PuTTY site has been Slashdotted: here's a few more links:

    http://putty.obengelb.de/ [obengelb.de]
    http://www.puttyssh.org/ [puttyssh.org]
    http://putty.activalink.net/ [activalink.net]

    And a nice mirrors list. [obengelb.de]

    Mike
  • Seriously though (Score:5, Informative)

    by GigsVT (208848) on Wednesday August 04, 2004 @11:51AM (#9879598) Journal
    Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

    Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.
    • I've pissed off many admins by e-mailing them everytime they change it without telling me.

      Unfortunately, I usually accept it anyway because I have stuff to do and can't verify with the admin immediately.

      • Yeah, my sysadmin was pissed when I called her on the phone veryifying that the ssh-key had changed.
        She wondered why I was even bothering her. Idiot.
        And the last time she did a re-do of the system, she actually sent everyone an email telling them to come to her to get their new passwords: idiot, how do i log in to see THAT email if I don't have my new password.

        I also caught her when she changed a back-up client and the read-time-stamp on my mail file got touched daily when it NEVER had been before. She's
    • Re:Seriously though (Score:3, Interesting)

      by gregfortune (313889)
      What I usually do if I don't know for sure is feed the host a batch of incorrect passwords... If one of them lets me in, the host is certainly a fake. If my fake passwords fail, then I send the correct password and if it *doesn't* let me in, I know my password has been comprimised. Not perfect, but admins killing off their keys when they rebuild a machine is pretty lame too.
    • Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

      If I know the machine just got wiped out or replaced, I'll hit yes. Otherwise, I'll investigate via outside channels. I've uncovered more than one DNS problem by investigating those messages.
    • by menscher (597856)
      Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

      First off, I'm a sysadmin, and I save my hostkeys when I upgrade.

      Secondly, my client machines have the server key, so user passwords are not required.

      Third, I usually check into the reason. If possible, I log in to a place I would have connected from before. There's only 2-3 machines I regularly log into from random places, and I have their bubble-babble digests memorized. And if I

    • Yes. No! wait! NO!
  • by Anonymous Coward
    Why is it that PuTTY is a production quality app and it's version number is still < 1? Shouldn't we be at a 1.x release by now?
    • Windows wasn't production ready for version 2003!

      Sorry... couldn't resist.
    • Sometimes, version numbers don't mean jack shit. Sometimes, if it's below 1, it doesn't mean anything. Sometimes, if it's 3, it doesn't mean anything. Sometimes, the version numbers are used in a controlled way, based on the roadmap so that given feature will bump version number upwards.

      I would prefer the build number as version number :-)

  • But whenever I use Windows, I prefer the command-line SSH program that comes with cygwin. Configuring options for SSH is just a chore when I seem to have learned all the switches by heart.
  • Why not front page? (Score:4, Interesting)

    by gmhowell (26755) <gmhowell@gmail.com> on Wednesday August 04, 2004 @12:49PM (#9880248) Homepage Journal
    Why isn't this on the front page? Oh, right, let's bury news of problems with cool programs, but a minor issue (solved six months ago) in a Microsoft program gets front page mission.

    Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.

    Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR
  • Silly question, but where are PuTTY's config files kept? I'd like to keep a copy of the config file on the same USB key as my putty executable, but I'm not sure where they are stored.

    Thanks...

  • I was expecting BrICk 1.0 .... (It's a joke, laugh !)
  • I have no idea if this affects pscp too, but I've brought my pscp download resume [gazonk.org] patch up to date anyhow. Grabbed the source snapshot [tartarus.org] which I assume post-dates the 0.55 fixes.

Chemist who falls in acid is absorbed in work.

Working...