During connection setup the ssh-server sends it's public host key information to the client. This information consists of the RSA variables 'e', 'n' and the size of 'n' in bits. Apparently, the SSH client does not check to see how much of the actual 'n' key size has been transmitted by the server, but rather simply copies the information as it is.
Credit:
This vulnerability has been discovered by: Niels Provos.
This information has been provided by: Markus Friedl.
Vulnerable systems:
SSH Client versions 1.2.0 to 1.2.27
The SSH client does not check whether the announced size is equal to the actual size of 'n' and blindly uses the supplied information, displays it to the user and saves the information in the ~/.ssh/known_hosts file.
Thus it is possible for a malicious server to announce a parameter size of 1024 bits while actually transmitting a host key with only 1017 bits (the 7 most significant bits are set to 0).
While this may not be actively exploitable, it is at least misleading, since the user thinks he is using a more secure key.
