qcred11
Aug 5 2004, 02:58 PM
| QUOTE |
Vulnerabilities in PuTTY and PSCP
Date Published: 2004-08-04
Last Update: 2004-08-04
Bugtraq ID: None currently assigned.
CVE Name: None currently assigned.
Class: Boundary Error Condition
Remotely Exploitable: Yes
Locally Exploitable: No
Vendors contacted:
- Maintainers of PuTTY
. Core notification: 2004-07-28
. Notification acknowledged by PuTTY maintainers: 2004-07-29
. Fixed version (beta 0.55) released: 2004-08-03
Release Mode: FORCED RELEASE
*Vulnerability Description:*
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
platforms, along with an xterm terminal emulator.
PuTTY and PSCP are client applications used by network and
security administrators to login securily to networked server systems.
We have found that by sending specially crafted packets to the client
during the authentication process, an attacker is able to compromise
and execute arbitrary code on the machine running PuTTY or PSCP.
In SSH2, an attacker impersonating a trusted host can launch an attack
before the client has the ability to determine the difference between
the trusted and fake host. This attack is performed before host key
verification.
*Vulnerable Packages:*
PuTTY 0.54 and previous versions are vulnerable.
*Solution/Vendor Information/Workaround:*
PuTTY 0.55 fixes these vulnerabilities. It is available at:
http://www.chiark.greenend.org.uk/~sgtatha...y/download.html
PuTTY maintainers recommend that everybody upgrade to 0.55 as soon
as possible.
*Technical Description - Exploit/Concept Code:*
The vulnerabilities were triggered by modifying the implementation
of OpenSSH 3.8.1p1, specifically by modifying the following functions:
packet_put_int
packet_put_string
packet_put_cstring
packet_put_raw
packet_put_bignum
packet_put_bignum2
to send specially crafted packets to the SSH client.
[1] Heap overflow using Bignum
While PSCP is authenticating to the server this vulnerability can be
triggered by sending a specially crafted big number (the "base" big
number sent by the server).
The vulnerability lies in the following code (from sshbn.c):
----------------------------------------------------------------------
/*
* Compute (base ^ exp) % mod.
* The base MUST be smaller than the modulus.
* The most significant word of mod MUST be non-zero.
* We assume that the result array is the same size as the mod array.
*/
Bignum modpow(Bignum base, Bignum exp, Bignum mod)
{
BignumInt *a, *b, *n, *m;
int mshift;
int mlen, i, j;
Bignum result;
/* Allocate m of size mlen, copy mod to m */
/* We use big endian internally */
mlen = mod[0];
[...]
/* Allocate n of size mlen, copy base to n */
n = snewn(mlen, BignumInt);
i = mlen - base[0];
for (j = 0; j < i; j++)
n[j] = 0;
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];
[...]
----------------------------------------------------------------------
In a normal session, the base is smaller than the modulus, but no
checks are done to ensure this. By sending a specially crafted base,
when i = mlen - base[0] is calculated, we can give i a controlled
negative value, then overflow the memory allocated to n, when the
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];
loop is executed. This vulnerability can be used by an attacker to
execute arbitrary code on the machine running PSCP.
[2] Another heap overflow using Bignum
A second vulnerability can be triggered in the PuTTY client during
the authentication process. By modifying the second big number sent
by the server, an attacker can make the PuTTY client crash.
We believe this could be exploited by an attacker to execute arbitrary
code on the machine running PuTTY.
|
Link is unavailable
Sent by mailing list
AgentOrange
Aug 5 2004, 07:01 PM
Damn I sure hope that exploit code comes out for this one. I have an idea for a complex attack pattern. Heap overflows are tricky, it would take a skill to make the exploit code, i hope people are working on it.
Peace out
xoro
Aug 5 2004, 09:08 PM
on wich list are u register to receive this mail ?
thx
agathos
Aug 6 2004, 04:11 PM
exploit code
you need only to modify
the OpenSSH Soure code may with a little bind shellcode
it works fine
greets agathos
