|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: David Endler (dendler_at_idefense.com)
Date: Thu Jan 30 2003 - 13:00:17 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Dragos,
Non issue? Even though it's a low severity risk, isn't it plausible that
memory containing this sensitive information gets swapped to disk? After
I had ssh'd from a computer only *once* in a shared environment (kiosk,
lab, etc), couldn't someone could still compromise it afterward and gain
those credentials to other systems?
- -dave
> -----Original Message-----
> From: Dragos Ruiu [mailto:dr
kyx.net]
> Sent: Wednesday, January 29, 2003 5:39 AM
> To: labsidefense.com; vulnwatchvulnwatch.org
> Subject: [VulnDiscuss] Re: [VulnWatch] iDEFENSE Security Advisory
> 01.28.03: SSH2 Clients Insecurely Store Passwords
>
>
> On January 29, 2003 05:51 pm, iDEFENSE Labs wrote:
> > AbsoluteTelnet, SecureCRT, Entunnel, SecureFx, and PuTTY do
> not properly
> > scrub memory allowing an attacker with access to memory or
> a memory dump
> > to retrieve authentication information.
>
> If they have access to your raw mem... you've got bigger
> issues than this.
> Many other avenues exist to said credentials no matter what
> Putty et al do...
>
> Non-issue.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F
iQA/AwUBPjlR6ErdNYRLCswqEQLhTQCffGujU6yGCrJaxutaCrAUPeV6OGwAoJ9o
6FHwoW1YV+mUUuMjvmpR8iP0
=8ZwC
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]