obfuscated-openssh icon indicating copy to clipboard operation
obfuscated-openssh copied to clipboard
verified publisher icon brl

Man in the Middle Attack Vulnerability

Open zschuessler opened this issue 9 years ago • 1 comments

Man in the middle attack vector found in sshconnect.c

Duplicate:

  1. Add ssh key for remote server, but add wrong IP
  2. ssh now prompts: Are you sure you want to continue connecting? yes/no
  3. User enters yes but then realizes, oh boy, it's a man in the middle attack, and yet the backspace key is broken (thanks, peanut butter). So then ultimately submits yes_waitnobackspaceisbroken
  4. Validation fails, ssh accepts the yes answer. The database and files are hacked and everything lost. The CTO writes a blog post on Medium as a postmortem, but loses entire customer base. Great, ssh.

See line here: https://github.com/brl/obfuscated-openssh/blob/ca93a2c09cf0f6d2f80e7daca18a669045665a3b/sshconnect.c#L570

The check for the yes value only checks to see that yes is at position 0. If the user types in yesohwaitmybackspacekeyisbroken_imeantno they will be potentially vulnerable to a man in the middle attack, not knowing the validation has failed them.

Scary stuff.

zschuessler avatar Jan 22 '16 22:01 zschuessler

  1. Whether or not you can delete keystrokes in the buffer via backspace is determined by multiple factors.

  2. Sorry, but I failed to see the connection how that makes it a MITM vulnerability.

    • If you want to quit the ssh client immediately during host key confirmation, use Ctrl+C or kill command.
    • If you would like to remove a public key from the known hosts, read the manual of ssh-keygen.
    • If you realized but not knowing the validation has failed and keeps on entering your password*, the software is not to be blamed, you are. *: In key-based authentication, your private key is never sent to the server/attacker. Only password-based authentication may be affected by your proposed MITM scheme.

  3. The line you're referring to is from pristine OpenSSH 5.2 source [git blame]. I failed to find any related CVE on MITM vulnerability for OpenSSH 5.2. Even if it has known vulnerabilities, I wouldn't be surprised, given that it's released almost 10 years ago.

  4. It would be responsible to report any security issue privately with the maintainers instead of in a public place like GitHub issues.

Btw, this project is long dead.

zypA13510 avatar Jun 26 '19 09:06 zypA13510