Since I\'m fairly unfamiliar with the specific details of the SSH protocol, I wa
ID: 655605 • Letter: S
Question
Since I'm fairly unfamiliar with the specific details of the SSH protocol, I was wondering if it was possible for a compromised SSHd server to upload a malicious payload (like a Trojan or some other nefarious code) back to a completely uncompromised client who was connecting to it.
I suppose a poorly-coded SSH client could definitely fall victim to this kind of attack through some sort of buffer overflow, but could it happen to a SSH client that followed the protocol to the letter, like the well-maintained, stable, and battle-tested like the OpenSSH client? If so, has a documented example of such an exploit occurred in the past?
Explanation / Answer
Yes. The server is sending back data of its choice to be processed by the client. If there is a flaw or an exploit, it can be taken advantage of by the malicious server. Even if this is legitimate software.
The fact that its well maintained, battle tested, etc does not mean its guaranteed to be free of vulnerabilities. There may be new bugs introduced with new features, protocol misimplementations, etc. The probability may be lower, but its not impossible.