Re: CORE-2004-0705: Vulnerabilities in PuTTY and PSCP
infamous41md_at_hotpop.com
Date: 08/10/04
- Previous message: Arpa Net: "Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Aug 2004 02:09:16 -0400 To: vuln-dev@securityfocus.com
anyone tried exploiting this yet? i foolishly assumed it wouldn't be that
difficult to exploit w/o modifying source for an ssl server. sniffed some
packets, got hexdumps of the packets, wrote a prog to pretend to be an ssl
server - which sent out the dumps of the packets i sniffed. only to then
realize that in order to send my own packets you have to jump through all sorts
of crazy hoops to build and compress/encrypt the packets. :[ i'd rather not
have to hack up the source for a real server, but it seems to be either that
or build packets with the ssl functions used in putty.. anyone else came to a
different conclusion?
On Wed, 04 Aug 2004 17:17:05 -0300
CORE Security Technologies Advisories <advisories@coresecurity.com> wrote:
>
> Core Security Technologies Advisory
> http://www.coresecurity.com
>
> Vulnerabilities in PuTTY and PSCP
>
>
> Date Published: 2004-08-04
>
> Last Update: 2004-08-04
>
> Advisory ID: CORE-2004-0705
>
> Bugtraq ID: None currently assigned.
>
> CVE Name: None currently assigned.
>
> Title: Vulnerabilities in PuTTY and PSCP
>
> Class: Boundary Error Condition
>
> Remotely Exploitable: Yes
>
> Locally Exploitable: No
>
> Advisory URL:
> http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10
>
> Vendors contacted:
> - Maintainers of PuTTY
> . Core notification: 2004-07-28
> . Notification acknowledged by PuTTY maintainers: 2004-07-29
> . Fixed version (beta 0.55) released: 2004-08-03
>
> Release Mode: FORCED RELEASE
>
> *Vulnerability Description:*
>
> PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
> platforms, along with an xterm terminal emulator.
>
> PuTTY and PSCP are client applications used by network and
> security administrators to login securily to networked server systems.
>
> We have found that by sending specially crafted packets to the client
> during the authentication process, an attacker is able to compromise
> and execute arbitrary code on the machine running PuTTY or PSCP.
>
> In SSH2, an attacker impersonating a trusted host can launch an attack
> before the client has the ability to determine the difference between
> the trusted and fake host. This attack is performed before host key
> verification.
>
> *Vulnerable Packages:*
>
> PuTTY 0.54 and previous versions are vulnerable.
>
>
> *Solution/Vendor Information/Workaround:*
>
> PuTTY 0.55 fixes these vulnerabilities. It is available at:
> http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
>
> PuTTY maintainers recommend that everybody upgrade to 0.55 as soon
> as possible.
>
>
> *Credits:*
>
> These vulnerabilities were found by Daniel De Luca, Laura Nuņez and
> Carlos Sarraute from Core Security Technologies.
>
>
> *Technical Description - Exploit/Concept Code:*
>
> The vulnerabilities were triggered by modifying the implementation
> of OpenSSH 3.8.1p1, specifically by modifying the following functions:
> packet_put_int
> packet_put_string
> packet_put_cstring
> packet_put_raw
> packet_put_bignum
> packet_put_bignum2
> to send specially crafted packets to the SSH client.
>
>
> [1] Heap overflow using Bignum
>
> While PSCP is authenticating to the server this vulnerability can be
> triggered by sending a specially crafted big number (the "base" big
> number sent by the server).
> The vulnerability lies in the following code (from sshbn.c):
> ----------------------------------------------------------------------
> /*
> * Compute (base ^ exp) % mod.
> * The base MUST be smaller than the modulus.
> * The most significant word of mod MUST be non-zero.
> * We assume that the result array is the same size as the mod array.
> */
> Bignum modpow(Bignum base, Bignum exp, Bignum mod)
> {
> BignumInt *a, *b, *n, *m;
> int mshift;
> int mlen, i, j;
> Bignum result;
>
> /* Allocate m of size mlen, copy mod to m */
> /* We use big endian internally */
> mlen = mod[0];
>
> [...]
>
> /* Allocate n of size mlen, copy base to n */
> n = snewn(mlen, BignumInt);
> i = mlen - base[0];
> for (j = 0; j < i; j++)
> n[j] = 0;
> for (j = 0; j < base[0]; j++)
> n[i + j] = base[base[0] - j];
>
> [...]
> ----------------------------------------------------------------------
> In a normal session, the base is smaller than the modulus, but no
> checks are done to ensure this. By sending a specially crafted base,
> when i = mlen - base[0] is calculated, we can give i a controlled
> negative value, then overflow the memory allocated to n, when the
> for (j = 0; j < base[0]; j++)
> n[i + j] = base[base[0] - j];
> loop is executed. This vulnerability can be used by an attacker to
> execute arbitrary code on the machine running PSCP.
>
>
> [2] Another heap overflow using Bignum
>
> A second vulnerability can be triggered in the PuTTY client during
> the authentication process. By modifying the second big number sent
> by the server, an attacker can make the PuTTY client crash.
> We believe this could be exploited by an attacker to execute arbitrary
> code on the machine running PuTTY.
>
>
> *About Core Security Technologies*
>
> Core Security Technologies develops strategic security solutions for
> Fortune 1000 corporations, government agencies and military
> organizations. The company offers information security software and
> services designed to assess risk and protect and manage information
> assets.
> Headquartered in Boston, MA, Core Security Technologies can be reached
> at 617-399-6980 or on the Web at http://www.coresecurity.com.
>
> To learn more about CORE IMPACT, the first comprehensive penetration
> testing framework, visit:
> http://www.coresecurity.com/products/coreimpact
>
>
> *DISCLAIMER:*
>
> The contents of this advisory are copyright (c) 2004 Core Security
> Technologies and may be distributed freely provided that no fee is
> charged for this distribution and proper credit is given.
>
> $Id: putty-advisory.txt,v 1.7 2004/08/04 19:48:27 aag Exp $
>
-- -sean
- Previous message: Arpa Net: "Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
