PuTTY vulnerability vuln-ssh2-debug

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Vulnerability: crafted SSH2_MSG_DEBUG can cause remote code execution
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.51
present-in: 0.52 0.53 0.53b 0.54 0.55
fixed-in: 2004-10-23 0.56 (0.58) (0.59) (0.60) (0.61) (0.62) (0.63) (0.64)

Many versions of PuTTY prior to 0.56 have a memory corruption vulnerability in their treatment of received debug messages in SSH protocol version 2 (SSH2_MSG_DEBUG).

This message is handled in ssh2_rdpkt(). A string length is read from the SSH packet and clipped to the length of a buffer. However, the string length is stored as a signed integer, and there is no protection against its being large enough to be stored as a negative number. This will bypass the length checking and appear as a large positive number once again to the subsequent memcpy(), causing a memory overflow. Code execution has been demonstrated as a result of this overflow.

This bug is EXTREMELY SEVERE. PuTTY can process debug messages at any time in the protocol, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.

This bug does not affect SSH protocol version 1, as the SSH1_MSG_DEBUG string length is sanity-checked against the packet length before use.

This bug was discovered by an anonymous contributor to iDEFENSE's Vulnerability Contributor Program. It is documented in iDEFENSE's advisory 10.27.04. It is also mentioned in an advisory by Secunia, numbered SA12987, and has been assigned CVE ID CVE-2004-1008 and OSVDB ID 11165.

Audit trail for this vulnerability.


If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2008-11-22 13:03:10 +0000)