PuTTY 0.62 Heap Overflow

2013.08.06
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

PuTTY SSH handshake heap overflow (CVE-2013-4852) Description: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code. Affected software products: - PuTTY up to and including 0.62 - WinSCP before 5.1.6 - all other software that uses vulnerable (revision 9895 or earlier) PuTTY code Details: A malformed size value in the SSH handshake could cause an integer overflow, as the getstring() function in sshrsa.c and sshdss.c read the handshake message length without checking that it was not a negative number. Specifically, the bignum_from_bytes() function invoked by getstring() received a data buffer along with its length represented by a signed integer (nbytes) and performed the following arithmetical operation before allocating memory to store the buffer: w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /* bytes->words */ result = newbn(w); If the value of nbytes was -1 (0xffffffff), the value of w would overflow to a very small positive number (depending on the value of BIGNUM_INT_BYTES), causing newbn() to reserve a very small memory area. Then a large number of bytes would be copied into the data buffer afterwards, resulting in a heap overflow. Similarly, if nbytes was chosen so that w would be -1, the newbn() function would allocate zero bytes in memory via snewn() and attempt to write the size of the Bignum (in four bytes) into the allocated zero-byte area, also resulting in a heap overflow. Consequences: In the standalone PuTTY client the attacker does not have precise control over the memory corruption, so this bug can only cause a local denial-of-service (crash). However, in other software that uses PuTTY code, such heap corruption could have more severe effects. Specifically in case of WinSCP, this vulnerability could potentially lead to code execution due to the exception handling employed by the program. Solution: This vulnerability has been fixed in the development version of PuTTY [2]. All developers using PuTTY code are recommended to use revision 9896 or later. The potential code execution vulnerability has been addressed in WinSCP 5.1.6 [3]. Credits: This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References: [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://winscp.net/tracker/show_bug.cgi?id=1017

References:

http://www.search-lab.hu/advisories/secadv-20130722
http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
http://winscp.net/tracker/show_bug.cgi?id=1017


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top