[NT] PuTTY and PSCP Multiple Heap Overflow Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/09/04

  • Next message: SecuriTeam: "[NEWS] Thompson (Alcatel) SpeedTouch Home ADSL Modem Predictable TCP ISN Generation" 
    To: list@securiteam.com
Date: 9 Aug 2004 19:32:29 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PuTTY and PSCP Multiple Heap Overflow Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
    platforms, along with an xterm terminal emulator. PuTTY and PSCP are
    client applications used by network and security administrators to login
    securely to networked server systems .

    By sending specially crafted packets to the clients during the
    authentication phase it is possible to trigger heap overflow
    vulnerabilities and as a result execute arbitrary code at the client side.

    DETAILS

    Vulnerable Systems:
     * PuTTY versions 0.54 and prior

    Immune Systems:
     * PuTTY version 0.55

    In SSH2, an attacker impersonating a trusted host can launch an attack
    before the client has the ability to determine the difference between the
    trusted and fake host. This attack is performed before host key
    verification.

    The vulnerabilities were triggered by modifying the implementation of
    OpenSSH 3.8.1p1, specifically by modifying the following functions:
     packet_put_int()
     packet_put_string()
     packet_put_cstring()
     packet_put_raw()
     packet_put_bignum()
     packet_put_bignum2()

    The functions were modified to send specially crafted packets to the
    client. As almost anyone has access to OpenSSH and is able to make the
    modifications, this poses a great risk to any PuTTY users. There are
    essentially two heap overflows using Bignum.

    While PSCP is authenticating to the server this vulnerability can be
    triggered by sending a specially crafted big number (the "base" big number
    sent by the server). The vulnerability lies in the following code (from
    sshbn.c):
    --------------------------------- Begin Code: sshbn.c
    ---------------------------------
    /*
     * Compute (base ^ exp) % mod.
     * The base MUST be smaller than the modulus.
     * The most significant word of mod MUST be non-zero.
     * We assume that the result array is the same size as the mod array.
     */
    Bignum modpow(Bignum base, Bignum exp, Bignum mod)
    {
        BignumInt *a, *b, *n, *m;
        int mshift;
        int mlen, i, j;
        Bignum result;

        /* Allocate m of size mlen, copy mod to m */
        /* We use big endian internally */
        mlen = mod[0];

        [...]

        /* Allocate n of size mlen, copy base to n */
        n = snewn(mlen, BignumInt);
        i = mlen - base[0];
        for (j = 0; j < i; j++)
           n[j] = 0;
        for (j = 0; j < base[0]; j++)
           n[i + j] = base[base[0] - j];

        [...]
    ---------------------------------- End Code: sshbn.c
    ----------------------------------

    In a normal session, the base is smaller than the modulus, but no checks
    are done to ensure this. By sending a specially crafted base, when: i =
    mlen - base[0] is calculated, we can give 'i' a controlled negative
    value, then overflow the memory allocated to n, when the following loop
    executes:
       for (j = 0; j < base[0]; j++)
           n[i + j] = base[base[0] - j];

    Note - This vulnerability can be used by an attacker to execute arbitrary
    code on the machine running PSCP.

    A second vulnerability can be triggered in the PuTTY client during the
    authentication process. By modifying the second big number sent by the
    server, an attacker could make the PuTTY client crash. An attacker to
    execute arbitrary code on the machine running PuTTY.

    Vendor Status:
    The maintainers of PuTTY were informed and a newer version is available
    which fixes the above issues. It can be downloaded from
    <http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html>
    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

    Disclosure Timeline
     * 2004-07-28 - Core notification
     * 2004-07-29 - Notification acknowledged by PuTTY maintainers
     * 2004-08-03 - Fixed version (beta 0.55) released

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@coresecurity.com>
    CORE Security Technologies Advisories.
    The original article can be found at:
    <http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10>
    http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Thompson (Alcatel) SpeedTouch Home ADSL Modem Predictable TCP ISN Generation"

    Relevant Pages