Re: Probable SSH Vulnerability
Nick Boyce <nick@glimmer.demon.co.uk> writes:
>>These attacks require wiretapping and traffic
>>manipulation capabilities.
>
> I'd be interested if you could expand on this - do you mean a
> connection to the victim's LAN is necessary ?
LAN or WAN. Actually, access to any transmission link suffices.
> I'd have thought ability to intercept WAN traffic was enough,
Correct, but wiretapping WANs is not exactly straightforward. 8-) You
will have a hard time doing it even if you've compromised some
intermediate router. In a true WAN environment, scalable
eavesdropping requires access to the physical medium and special
eavesdropping cards for the machines that perform the eavesdropping.
You can't redirect traffic in a WAN setting just by ARP spoofing. 8-)
> And AIUI, traffic manipulation is a standard technique for a skilled
> Bad Guy (injecting packets, fiddling with packets, connection
> hijacking).
Yes, but the attacker usually shares the LAN with the victim host or
the other end of the communication.
> The sort of skill level required to perform a sequence number attack
> would do, wouldn't it ?
No, it wouldn't, IIRC, the SSH 1 protocol is not *that* weak.
> But someone's got to be the first to fall prey to each new technique -
> why not Tim ?
Because he noticed something, and he's so desperate that he's posting
publicly to debian-security. 8-)
If I had a new super-duper SSH exploit or could eavesdrop a WAN link,
I wouldn't risk burning it on low-profile targets.
Reply to: