Re: ssh

From: Olaf Kirch (okirat_private)
Date: Thu Feb 07 2002 - 01:37:41 PST

Next message: Chip McClure: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"

Previous message: Patrick Kuiper: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
In reply to: Jose Nazario: "Re: ssh"
Next in thread: Jose Nazario: "Re: ssh"
Reply: Jose Nazario: "Re: ssh"
Reply: Michal Zalewski: "Re: ssh"
Reply: Clinton Smith: "HTTP 1.1 TRACE Command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 06, 2002 at 05:36:41PM -0500, Jose Nazario wrote:
> The attack itself is very simple. Remember that in CBC mode, each
> plaintext block is XOR'ed with the last ciphertext block and then
> encrypted to produce the next ciphertext block. Suppose the attacker
> suspects that plaintext block P_i might be x, and wants to test whether
> that's the case, he would choose the next plaintext block P_j to be x
> XOR C_(i-1) XOR C_(j-1). If his guess is correct, then C_j = Encrypt(P_j
> XOR C_(j-1)) = Encrypt(P_i XOR C_(i-1)) = C_i, and so he can confirm his
> guess by looking at whether C_j = C_i.

I understand the maths behind this, but I can't quite see a practical
attack. If the attacker wants to guess a plaintext block P_i transmitted
by the SSH client, he must feed his plaintext block P_(i+1) to the
ssh client on standard input, so that it is properly encrypted and then
transmitted. This implies a great deal of control over the client process
(such as the ability to write to the client's standard input).

Maybe I'm dense, but I can't think of many scenarios where an attacker
can get this type of control. Either someone or something establishes
an SSH connection, transmits The Secret and then relinquishes control
of the session to the attacker (which is not a very common use of SSH),
or the attacker obtains control of a user's terminal (hijacking e.g.
the xterm), or of the ssh client process itself. In the latter two cases,
The Secret can usually be retrieved much more conveniently through
traditional methods.

At any rate, I believe this can be used as a local exploit only.

> However even with this and other potential constraints it seems very
> possible for the attacker to succeed in some situations. So I suggest

I don't say it's not a problem, but I think this is exagerating things
a bit. I cannot see this problem being exploited for most "normal" uses
of ssh (remote login and file copy). Tunneling other protocols through
an SSH connection may be a different issue, but it still seems a bit
far-fetched.

Olaf
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirat_private  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okirat_private    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Next message: Chip McClure: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
Previous message: Patrick Kuiper: "Re: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)"
In reply to: Jose Nazario: "Re: ssh"
Next in thread: Jose Nazario: "Re: ssh"
Reply: Jose Nazario: "Re: ssh"
Reply: Michal Zalewski: "Re: ssh"
Reply: Clinton Smith: "HTTP 1.1 TRACE Command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 12:04:46 PST