‘PuTTY and PSCP Multiple Heap Overflow Vulnerabilities’

Summary

‘PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. PuTTY and PSCP are client applications used by network and security administrators to login securely to networked server systems .

By sending specially crafted packets to the clients during the authentication phase it is possible to trigger heap overflow vulnerabilities and as a result execute arbitrary code at the client side.’

Credit:

‘The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10


Details

Vulnerable Systems:
 * PuTTY versions 0.54 and prior

Immune Systems:
 * PuTTY version 0.55

In SSH2, an attacker impersonating a trusted host can launch an attack before the client has the ability to determine the difference between the trusted and fake host. This attack is performed before host key verification.

The vulnerabilities were triggered by modifying the implementation of OpenSSH 3.8.1p1, specifically by modifying the following functions:
 packet_put_int()
 packet_put_string()
 packet_put_cstring()
 packet_put_raw()
 packet_put_bignum()
 packet_put_bignum2()

The functions were modified to send specially crafted packets to the client. As almost anyone has access to OpenSSH and is able to make the modifications, this poses a great risk to any PuTTY users. There are essentially two heap overflows using Bignum.

While PSCP is authenticating to the server this vulnerability can be triggered by sending a specially crafted big number (the ‘base’ big number sent by the server). The vulnerability lies in the following code (from sshbn.c):
——————————— Begin Code: sshbn.c ———————————
/*
 * Compute (base ^ exp) % mod.
 * The base MUST be smaller than the modulus.
 * The most significant word of mod MUST be non-zero.
 * We assume that the result array is the same size as the mod array.
 */
Bignum modpow(Bignum base, Bignum exp, Bignum mod)
{
    BignumInt *a, *b, *n, *m;
    int mshift;
    int mlen, i, j;
    Bignum result;

    /* Allocate m of size mlen, copy mod to m */
    /* We use big endian internally */
    mlen = mod[0];

    […]

    /* Allocate n of size mlen, copy base to n */
    n = snewn(mlen, BignumInt);
    i = mlen – base[0];
    for (j = 0; j < i; j++)
       n[j] = 0;
    for (j = 0; j < base[0]; j++)
       n[i + j] = base[base[0] – j];

    […]
———————————- End Code: sshbn.c ———————————-

In a normal session, the base is smaller than the modulus, but no checks are done to ensure this. By sending a specially crafted base, when: i = mlen – base[0] is calculated, we can give ‘i’ a controlled negative value, then overflow the memory allocated to n, when the following loop executes:
   for (j = 0; j < base[0]; j++)
       n[i + j] = base[base[0] – j];

Note – This vulnerability can be used by an attacker to execute arbitrary code on the machine running PSCP.

A second vulnerability can be triggered in the PuTTY client during the authentication process. By modifying the second big number sent by the server, an attacker could make the PuTTY client crash. An attacker to execute arbitrary code on the machine running PuTTY.

Vendor Status:
The maintainers of PuTTY were informed and a newer version is available which fixes the above issues. It can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

Disclosure Timeline
 * 2004-07-28 – Core notification
 * 2004-07-29 – Notification acknowledged by PuTTY maintainers
 * 2004-08-03 – Fixed version (beta 0.55) released’

Categories: Windows