Exploit code for potentially serious vulnerabilities in multiple implementations of SSH
the Web, prompting another round of debate over the way security disclosures
are handled by research firms.
The security research division of Spanish firm I-Proyectos posted the
code to exploit the SSH flaws in the freeware Putty SSH and Telnet client
for Windows systems. The code was posted on the BugTraq mailing list and was
meant for “”educational/testing purposes” only, the firm said.
However, security advocates noted that the code could be modified to
attack vulnerabilities in other SSH clients, which are typically used as a
secure replacement for rlogin, rsh, rcp and rdist.
SSH is a program to log into another computer over a network, to execute
commands in a remote machine, and to move files from one machine to another.
It provides authentication and secure communications over insecure channels,
but the flaws found by New York-based Rapid7 could be used by hackers to
execute arbitrary code with the privileges of the secure SSH process or
cause a denial of service. The vulnerabilities occur before user
authentication takes place.
The public posting of the exploit code potentially makes it easy for
attackers to target unpatched systems and again raises the debate over the
responsible disclosure of vulnerabilities. The Internet Security Systems
was forced to go public
with its Vulnerability Disclosure Guidelines in the face of criticisms over
its handling of software security alerts.
The public release of the ISS Disclosure Guidelines came just weeks
after security experts chided the firm for releasing information about
security flaws in the BIND server and Sun’s Solaris Font Service before
giving the affected vendors enough time to issue patches or fixes.
While the posting of exploit code by research firms is somewhat rare,
proof-of-concept code has been released in the past once a patch has been
Appropriate patches for the SSH vulnerabilities have been issued by most
vendors and the latest exploit code was tested and executed against putty
0.52 running on Windows XP Windows 2000.