Exploit the possiblities

putty-advisory.txt

putty-advisory.txt
Posted Aug 5, 2004
Authored by Daniel De Luca, Laura Nunez, Carlos Sarraute | Site coresecurity.com

Putty client versions below 0.55 suffer from a flaw that allow for arbitrary code execution.

tags | advisory, arbitrary, code execution
MD5 | 031610ab69b910612eebb07fdf17a6bf

putty-advisory.txt

Change Mirror Download
08 | 04 | 2004

*Vulnerabilities in PuTTY and PSCP*

Core Security Technologies Advisory
http://www.coresecurity.com


Date Published: 2004-08-04

Last Update: 2004-08-04

Advisory ID: CORE-2004-0705

Bugtraq ID: None currently assigned.

CVE Name: None currently assigned.

Title: Vulnerabilities in PuTTY and PSCP

Class: Boundary Error Condition

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL: http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10

Vendors contacted:
*- Maintainers of PuTTY*
. Core notification: 2004-07-28
. Notification acknowledged by PuTTY maintainers: 2004-07-29
. Fixed version (beta 0.55) released: 2004-08-03

Release Mode: FORCED RELEASE


**Vulnerability Description:*

*PuTTY is a free implementation of Telnet and SSH for Win32 and
Unix platforms, along with an xterm terminal emulator.

PuTTY and PSCP are client applications used by network and security
administrators to login securily to networked server systems.

We have found that by sending specially crafted packets to the
client during the authentication process, an attacker is able to
compromise and execute arbitrary code on the machine running PuTTY or PSCP.

In SSH2, an attacker impersonating a trusted host can launch an attack
before the client has the ability to determine the difference
between the trusted and fake host. This attack is performed before host
key verification.


**Vulnerable Packages:*

*PuTTY 0.54 and previous versions are vulnerable.


**Solution/Vendor Information/Workaround:*

*PuTTY 0.55 fixes these vulnerabilities. It is available
at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

PuTTY maintainers recommend that everybody upgrade to 0.55 as soon as
possible.


**Credits:*

*These vulnerabilities were found by Daniel De Luca, Laura Nuñez
and Carlos Sarraute from Core Security Technologies.


**Technical Description - Exploit/Concept Code:*

*The vulnerabilities were triggered by modifying the implementation of
OpenSSH 3.8.1p1, specifically by modifying the following functions:
packet_put_int
packet_put_string
packet_put_cstring
packet_put_raw
packet_put_bignum
packet_put_bignum2
to send specially crafted packets to the SSH client.


[1] Heap overflow using Bignum

While PSCP is authenticating to the server this vulnerability can
be triggered by sending a specially crafted big number (the "base"
big number sent by the server).
The vulnerability lies in the following code (from sshbn.c):
----------------------------------------------------------------------
/*
* Compute (base ^ exp) % mod.
* The base MUST be smaller than the modulus.
* The most significant word of mod MUST be non-zero.
* We assume that the result array is the same size as the mod array.
*/
Bignum modpow(Bignum base, Bignum exp, Bignum mod)
{
BignumInt *a, *b, *n, *m;
int mshift;
int mlen, i, j;
Bignum result;

/* Allocate m of size mlen, copy mod to m */
/* We use big endian internally */
mlen = mod[0];

[...]

/* Allocate n of size mlen, copy base to n */
n = snewn(mlen, BignumInt);
i = mlen - base[0];
for (j = 0; j < i; j++)
n[j] = 0;
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];

[...]
----------------------------------------------------------------------
In a normal session, the base is smaller than the modulus, but no checks
are done to ensure this. By sending a specially crafted base, when i =
mlen - base[0] is calculated, we can give i a controlled negative
value, then overflow the memory allocated to n, when the
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];
loop is executed. This vulnerability can be used by an attacker
to execute arbitrary code on the machine running PSCP.


[2] Another heap overflow using Bignum

A second vulnerability can be triggered in the PuTTY client during the
authentication process. By modifying the second big number sent by the
server, an attacker can make the PuTTY client crash. We believe this
could be exploited by an attacker to execute arbitrary code on the
machine running PuTTY.


**About Core Security Technologies*

*Core Security Technologies develops strategic security solutions
for Fortune 1000 corporations, government agencies and
military organizations. The company offers information security software
and services designed to assess risk and protect and manage
information assets.
Headquartered in Boston, MA, Core Security Technologies can be
reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive
penetration testing framework,
visit: http://www.coresecurity.com/products/coreimpact.
<http://www.coresecurity.com/products/coreimpact>


**DISCLAIMER:*

*The contents of this advisory are copyright (c) 2004 Core
Security Technologies and may be distributed freely provided that no fee
is charged for this distribution and proper credit is given.

$Id: putty-advisory.txt,v 1.7 2004/08/04 19:48:27 aag Exp $

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close