[Secure-testing-team] Bug#774769: [lftp] saves unknown host's fingerprint in known_hosts without any prompt
Marcin Szewczyk
Marcin.Szewczyk at wodny.org
Wed Jan 7 11:39:53 UTC 2015
Package: lftp
Version: 4.6.0-1
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
>From the src/SSH_Access.cc file:
47: const char *y="(yes/no)?";
73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
74: {
75: pty_recv_buf->Put("yes\n");
76: pty_send_buf->Put("yes\n");
77: return m;
78: }
Not only does it make a particular SFTP file transfer insecure, but also
any future connection via any SSH client.
After enabling debug (the "yes" answer generated automatically):
#v+
$ lftp sftp://mszewczyk@localhost:22203
Password:
lftp mszewczyk at localhost:~> debug
lftp mszewczyk at localhost:~> ls
---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp)
---> sending a packet, length=5, type=1(INIT), id=0
<--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established.
<--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d.
<--- Are you sure you want to continue connecting (yes/no)? yes
<---
<--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts.
#v-
--- System information. ---
Architecture: amd64
Kernel: Linux 3.16.0-4-amd64
Debian Release: 8.0
500 testing security.debian.org
500 testing ftp.pl.debian.org
500 stable security.debian.org
500 stable ftp.pl.debian.org
--- Package information. ---
Depends (Version) | Installed
===================================-+-==============
libc6 (>= 2.17) |
libgcc1 (>= 1:4.1.1) |
libgnutls-deb0-28 (>= 3.2.10-0) |
libreadline6 (>= 6.0) |
libstdc++6 (>= 4.1.1) |
libtinfo5 |
zlib1g (>= 1:1.1.4) |
netbase |
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Marcin Szewczyk http://wodny.org
mailto:Marcin.Szewczyk at wodny.borg <- remove b / usuń b
xmpp:wodny at ubuntu.pl xmpp:wodny at jabster.pl
More information about the Secure-testing-team
mailing list