Results 1 to 3 of 3

Thread: PuTTY Vuln Released

  1. #1
    Senior Member
    Join Date
    Jan 2003

    PuTTY Vuln Released

    Hey Hey,

    The Advisory can be found here - http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10]Core Security[/url]

    *Vulnerability Description:*

    PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.

    PuTTY and PSCP are client applications used by network and security administrators to login securily to networked server systems.

    We have found that by sending specially crafted packets to the client during the authentication process, an attacker is able to compromise and execute arbitrary code on the machine running PuTTY or PSCP.

    In SSH2, an attacker impersonating a trusted host can launch an attack before the client has the ability to determine the difference between the trusted and fake host. This attack is performed before host key verification.

    *Vulnerable Packages:*

    PuTTY 0.54 and previous versions are vulnerable.

    *Solution/Vendor Information/Workaround:*

    PuTTY 0.55 fixes these vulnerabilities. It is available at:

    PuTTY maintainers recommend that everybody upgrade to 0.55 as soon as possible.


    These vulnerabilities were found by Daniel De Luca, Laura Nuņez and Carlos Sarraute from Core Security Technologies.

    *Technical Description - Exploit/Concept Code:*

    The vulnerabilities were triggered by modifying the implementation of OpenSSH 3.8.1p1, specifically by modifying the following functions:
    to send specially crafted packets to the SSH client.

    [1] Heap overflow using Bignum

    While PSCP is authenticating to the server this vulnerability can be triggered by sending a specially crafted big number (the "base" big number sent by the server).
    The vulnerability lies in the following code (from sshbn.c):
    * Compute (base ^ exp) % mod.
    * The base MUST be smaller than the modulus.
    * The most significant word of mod MUST be non-zero.
    * We assume that the result array is the same size as the mod array.
    Bignum modpow(Bignum base, Bignum exp, Bignum mod) {
    BignumInt *a, *b, *n, *m;
    int mshift;
    int mlen, i, j;
    Bignum result;

    /* Allocate m of size mlen, copy mod to m */
    /* We use big endian internally */
    mlen = mod[0];


    /* Allocate n of size mlen, copy base to n */
    n = snewn(mlen, BignumInt);
    i = mlen - base[0];
    for (j = 0; j < i; j++)
    n[j] = 0;
    for (j = 0; j < base[0]; j++)
    n[i + j] = base[base[0] - j];

    In a normal session, the base is smaller than the modulus, but no checks are done to ensure this. By sending a specially crafted base, when i = mlen - base[0] is calculated, we can give i a controlled negative value, then overflow the memory allocated to n, when the
    for (j = 0; j < base[0]; j++)
    n[i + j] = base[base[0] - j];
    loop is executed. This vulnerability can be used by an attacker to execute arbitrary code on the machine running PSCP.

    [2] Another heap overflow using Bignum

    A second vulnerability can be triggered in the PuTTY client during the authentication process. By modifying the second big number sent by the server, an attacker can make the PuTTY client crash.
    We believe this could be exploited by an attacker to execute arbitrary code on the machine running PuTTY.
    Since there's talk of PuTTy right now, I'd suggest everyone upgrade to the latest version.

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Thanks for the info...
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Yeah, thank's for the information HT. I use PuTTy almost daily for all of my SSH/Telnet connection's. Never thought there would be a vulnerability for it though, but hey.. Thanks again man.
    Space For Rent.. =]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts