CORE-2004-0705: Vulnerabilities in PuTTY and PSCP

From: CORE Security Technologies Advisories (advisories@coresecurity.com)
Date: Wed Aug 04 2004 - 16:17:05 EDT

                Core Security Technologies Advisory
                    http://www.coresecurity.com

                 Vulnerabilities in PuTTY and PSCP

Date Published: 2004-08-04

Last Update: 2004-08-04

Advisory ID: CORE-2004-0705

Bugtraq ID: None currently assigned.

CVE Name: None currently assigned.

Title: Vulnerabilities in PuTTY and PSCP

Class: Boundary Error Condition

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:
 http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10

Vendors contacted:
- Maintainers of PuTTY
  . Core notification: 2004-07-28
  . Notification acknowledged by PuTTY maintainers: 2004-07-29
  . Fixed version (beta 0.55) released: 2004-08-03

Release Mode: FORCED RELEASE

*Vulnerability Description:*

 PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
 platforms, along with an xterm terminal emulator.

 PuTTY and PSCP are client applications used by network and
 security administrators to login securily to networked server systems.
 
 We have found that by sending specially crafted packets to the client
 during the authentication process, an attacker is able to compromise
 and execute arbitrary code on the machine running PuTTY or PSCP.

 In SSH2, an attacker impersonating a trusted host can launch an attack
 before the client has the ability to determine the difference between
 the trusted and fake host. This attack is performed before host key
 verification.

*Vulnerable Packages:*

 PuTTY 0.54 and previous versions are vulnerable.

*Solution/Vendor Information/Workaround:*

 PuTTY 0.55 fixes these vulnerabilities. It is available at:
 http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

 PuTTY maintainers recommend that everybody upgrade to 0.55 as soon
 as possible.

*Credits:*

 These vulnerabilities were found by Daniel De Luca, Laura Nuņez and
 Carlos Sarraute from Core Security Technologies.

*Technical Description - Exploit/Concept Code:*

 The vulnerabilities were triggered by modifying the implementation
 of OpenSSH 3.8.1p1, specifically by modifying the following functions:
  packet_put_int
  packet_put_string
  packet_put_cstring
  packet_put_raw
  packet_put_bignum
  packet_put_bignum2
 to send specially crafted packets to the SSH client.

 [1] Heap overflow using Bignum

 While PSCP is authenticating to the server this vulnerability can be
 triggered by sending a specially crafted big number (the "base" big
 number sent by the server).
 The vulnerability lies in the following code (from sshbn.c):
----------------------------------------------------------------------
/*
 * Compute (base ^ exp) % mod.
 * The base MUST be smaller than the modulus.
 * The most significant word of mod MUST be non-zero.
 * We assume that the result array is the same size as the mod array.
 */
Bignum modpow(Bignum base, Bignum exp, Bignum mod)
{
    BignumInt *a, *b, *n, *m;
    int mshift;
    int mlen, i, j;
    Bignum result;

    /* Allocate m of size mlen, copy mod to m */
    /* We use big endian internally */
    mlen = mod[0];

    [...]

    /* Allocate n of size mlen, copy base to n */
    n = snewn(mlen, BignumInt);
    i = mlen - base[0];
    for (j = 0; j < i; j++)
       n[j] = 0;
    for (j = 0; j < base[0]; j++)
       n[i + j] = base[base[0] - j];

    [...]
----------------------------------------------------------------------
 In a normal session, the base is smaller than the modulus, but no
 checks are done to ensure this. By sending a specially crafted base,
 when i = mlen - base[0] is calculated, we can give i a controlled
 negative value, then overflow the memory allocated to n, when the
    for (j = 0; j < base[0]; j++)
       n[i + j] = base[base[0] - j];
 loop is executed. This vulnerability can be used by an attacker to
 execute arbitrary code on the machine running PSCP.

 [2] Another heap overflow using Bignum

 A second vulnerability can be triggered in the PuTTY client during
 the authentication process. By modifying the second big number sent
 by the server, an attacker can make the PuTTY client crash.
 We believe this could be exploited by an attacker to execute arbitrary
 code on the machine running PuTTY.

*About Core Security Technologies*

 Core Security Technologies develops strategic security solutions for
 Fortune 1000 corporations, government agencies and military
 organizations. The company offers information security software and
 services designed to assess risk and protect and manage information
 assets.
 Headquartered in Boston, MA, Core Security Technologies can be reached
 at 617-399-6980 or on the Web at http://www.coresecurity.com.

 To learn more about CORE IMPACT, the first comprehensive penetration
 testing framework, visit:
 http://www.coresecurity.com/products/coreimpact

*DISCLAIMER:*

 The contents of this advisory are copyright (c) 2004 Core Security
 Technologies and may be distributed freely provided that no fee is
 charged for this distribution and proper credit is given.

$Id: putty-advisory.txt,v 1.7 2004/08/04 19:48:27 aag Exp $

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT