: Strengthening access controls and authentication mechanisms can limit who can interact with the WinSSHD service.
Fixed in 8.49. Exploit status: Still works on unpatched systems. Coolness factor: High, for the sheer minimalism. bitvise winsshd 848 exploit
The root cause was likely an . WinSSHD, in trying to be efficient, would partially validate a username during the KEX phase to decide which authentication methods to advertise (e.g., offering publickey vs password). That pre-auth lookup was cached differently for existing vs non-existing users, leaking the result via packet timing/order. Coolness factor: High, for the sheer minimalism
The flaw resides in the phase of the SSH protocol. When a client connects, WinSSHD 8.48 proudly announces its supported cryptographic algorithms. If a client sends a malformed SSH_MSG_KEXINIT packet — specifically, one where the cookie field is valid but the subsequent algorithm list lengths are manipulated — the server responds in one of two subtle ways: That pre-auth lookup was cached differently for existing