undefined | Better HN

0 pointsfrozenport10y ago0 comments

Yes, they need to compromise the server but they also need to compromise the client. With both compromised they will have the same execution privileges as the original Putty.exe, then they will need to ROPgadget? If they have both compromised by the heck do they need to use putty?

0 comments

3 comments · 1 top-level

Drdrdrq10y ago· 2 in thread

No, they must control the server, and with that they can compromise the client. Or at least this is how I understand it.

nitrogen10y ago

An attacker might just need to get something to show up into a log file that is then viewed using PuTTY. Always escape attacker-controlled data before logging or displaying it.

frozenportOP10y ago

Okay, but crashing the client isn't the same thing as compromising the client.

1 more reply

j / k navigate · click thread line to collapse