Exploit the possiblities

PuTTY 0.62 Heap Overflow

PuTTY 0.62 Heap Overflow
Posted Aug 6, 2013
Authored by Gergely Eberhardt

PuTTY versions 0.62 and below suffer from an SSH handshake heap overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2013-4852
MD5 | c841cb43581bedebf7bc74034e1b9a52

PuTTY 0.62 Heap Overflow

Change Mirror Download
PuTTY SSH handshake heap overflow (CVE-2013-4852)

Description:
PuTTY versions 0.62 and earlier - as well as all software that
integrates these versions of PuTTY - are vulnerable to an integer overflow
leading to heap overflow during the SSH handshake before authentication,
caused
by improper bounds checking of the length parameter received from the
SSH server.
This allows remote attackers to cause denial of service, and may have more
severe impact on the operation of software that uses PuTTY code.

Affected software products:
- PuTTY up to and including 0.62
- WinSCP before 5.1.6
- all other software that uses vulnerable (revision 9895 or earlier)
PuTTY code

Details:
A malformed size value in the SSH handshake could cause an integer
overflow, as
the getstring() function in sshrsa.c and sshdss.c read the handshake
message
length without checking that it was not a negative number.

Specifically, the bignum_from_bytes() function invoked by getstring()
received a
data buffer along with its length represented by a signed integer
(nbytes) and
performed the following arithmetical operation before allocating memory
to store
the buffer:

w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /*
bytes->words */
result = newbn(w);

If the value of nbytes was -1 (0xffffffff), the value of w would
overflow to a
very small positive number (depending on the value of BIGNUM_INT_BYTES),
causing
newbn() to reserve a very small memory area. Then a large number of
bytes would
be copied into the data buffer afterwards, resulting in a heap overflow.

Similarly, if nbytes was chosen so that w would be -1, the newbn() function
would allocate zero bytes in memory via snewn() and attempt to write the
size of
the Bignum (in four bytes) into the allocated zero-byte area, also
resulting in
a heap overflow.

Consequences:
In the standalone PuTTY client the attacker does not have precise
control over
the memory corruption, so this bug can only cause a local denial-of-service
(crash). However, in other software that uses PuTTY code, such heap
corruption
could have more severe effects. Specifically in case of WinSCP, this
vulnerability could potentially lead to code execution due to the exception
handling employed by the program.

Solution:
This vulnerability has been fixed in the development version of PuTTY
[2]. All
developers using PuTTY code are recommended to use revision 9896 or later.
The potential code execution vulnerability has been addressed in WinSCP
5.1.6
[3].

Credits:
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)

References:
[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
[3] http://winscp.net/tracker/show_bug.cgi?id=1017

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close