Date: 06 August 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0493 -- Core Security Technologies Advisory CORE-2004-0705
Vulnerabilities in PuTTY and PSCP
6 August 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PuTTY
PSCP
Publisher: Core Security Technologies
Operating System: Windows
UNIX variants
Linux variants
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
- --------------------------BEGIN INCLUDED TEXT--------------------
Core Security Technologies Advisory
http://www.coresecurity.com
Vulnerabilities in PuTTY and PSCP
Date Published: 2004-08-04
Last Update: 2004-08-04
Advisory ID: CORE-2004-0705
Bugtraq ID: None currently assigned.
CVE Name: None currently assigned.
Title: Vulnerabilities in PuTTY and PSCP
Class: Boundary Error Condition
Remotely Exploitable: Yes
Locally Exploitable: No
Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10
Vendors contacted:
- - Maintainers of PuTTY
. Core notification: 2004-07-28
. Notification acknowledged by PuTTY maintainers: 2004-07-29
. Fixed version (beta 0.55) released: 2004-08-03
Release Mode: FORCED RELEASE
*Vulnerability Description:*
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
platforms, along with an xterm terminal emulator.
PuTTY and PSCP are client applications used by network and
security administrators to login securily to networked server systems.
We have found that by sending specially crafted packets to the client
during the authentication process, an attacker is able to compromise
and execute arbitrary code on the machine running PuTTY or PSCP.
In SSH2, an attacker impersonating a trusted host can launch an attack
before the client has the ability to determine the difference between
the trusted and fake host. This attack is performed before host key
verification.
*Vulnerable Packages:*
PuTTY 0.54 and previous versions are vulnerable.
*Solution/Vendor Information/Workaround:*
PuTTY 0.55 fixes these vulnerabilities. It is available at:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
PuTTY maintainers recommend that everybody upgrade to 0.55 as soon
as possible.
*Credits:*
These vulnerabilities were found by Daniel De Luca, Laura Nuņez and
Carlos Sarraute from Core Security Technologies.
*Technical Description - Exploit/Concept Code:*
The vulnerabilities were triggered by modifying the implementation
of OpenSSH 3.8.1p1, specifically by modifying the following functions:
packet_put_int
packet_put_string
packet_put_cstring
packet_put_raw
packet_put_bignum
packet_put_bignum2
to send specially crafted packets to the SSH client.
[1] Heap overflow using Bignum
While PSCP is authenticating to the server this vulnerability can be
triggered by sending a specially crafted big number (the "base" big
number sent by the server).
The vulnerability lies in the following code (from sshbn.c):
- ----------------------------------------------------------------------
/*
* Compute (base ^ exp) % mod.
* The base MUST be smaller than the modulus.
* The most significant word of mod MUST be non-zero.
* We assume that the result array is the same size as the mod array.
*/
Bignum modpow(Bignum base, Bignum exp, Bignum mod)
{
BignumInt *a, *b, *n, *m;
int mshift;
int mlen, i, j;
Bignum result;
/* Allocate m of size mlen, copy mod to m */
/* We use big endian internally */
mlen = mod[0];
[...]
/* Allocate n of size mlen, copy base to n */
n = snewn(mlen, BignumInt);
i = mlen - base[0];
for (j = 0; j < i; j++)
n[j] = 0;
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];
[...]
- ----------------------------------------------------------------------
In a normal session, the base is smaller than the modulus, but no
checks are done to ensure this. By sending a specially crafted base,
when i = mlen - base[0] is calculated, we can give i a controlled
negative value, then overflow the memory allocated to n, when the
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];
loop is executed. This vulnerability can be used by an attacker to
execute arbitrary code on the machine running PSCP.
[2] Another heap overflow using Bignum
A second vulnerability can be triggered in the PuTTY client during
the authentication process. By modifying the second big number sent
by the server, an attacker can make the PuTTY client crash.
We believe this could be exploited by an attacker to execute arbitrary
code on the machine running PuTTY.
*About Core Security Technologies*
Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets.
Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.
To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit:
http://www.coresecurity.com/products/coreimpact
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2004 Core Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.
$Id: putty-advisory.txt,v 1.7 2004/08/04 19:48:27 aag Exp $
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQRLOwSh9+71yA2DNAQI/8wP+N9CmXbNnb6rhttmciRQEwXksjQ5snvuP
zVC/2O+3zzjNef30spwBBVAgpoQ8xV1LvBVEQfGrnXDncox6r3WHJiMj7EuTDSRJ
ABoba11VJK+KTk1fzV9un/QjaX5im/C0XIX3zF99IxbisrkrHCdBqSrNFUQOFDBk
BHRaiJnkXe8=
=1hLi
-----END PGP SIGNATURE-----
|