===================================================================== CERT-Renater Note d'Information No. 2013/VULN339 _____________________________________________________________________ DATE : 08/08/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PuTTY versions 0.52 up to and including 0.62. ====================================================================== http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html ______________________________________________________________________ PuTTY vulnerability vuln-signature-stringlen summary: Vulnerability: negative string length in public-key signatures can cause integer overflow and overwrite all of memory class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not many of them. priority: high: This should be fixed in the next release. absent-in: r968 present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 fixed-in: r9896 2013-07-09 0.63 Many versions of PuTTY prior to 0.63 have an integer overflow vulnerability in their treatment of string length fields in public-key signatures. An RSA signature blob contains a multiprecision integer stored as an SSH-2 string, i.e. with a 4-byte length field at the front. Setting this length field to 0xFFFFFFFF (-1) is mistakenly permitted by the signature decoding code due to a missing bounds check, and the effect is that PuTTY allocates zero memory to store the integer in (because it adds one to the length first) and then tries to write zeroes over 4Gb of memory starting from that location. This bug applies to any RSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe. We are unaware of any way in which this can lead to remote code execution, since it will typically overwrite the entire heap with zeroes and PuTTY is expected to crash almost immediately. This bug does not affect DSA keys. This bug was discovered by SEARCH-LAB and documented in their advisory. It has been assigned CVE ID CVE-2013-4852. Audit trail for this vulnerability. ______________________________________________________________________ PuTTY vulnerability vuln-modmul summary: Vulnerability: buffer underrun in modmul can corrupt the heap class: vulnerability: This is a security vulnerability. difficulty: fun: Just needs tuits, and not many of them. priority: high: This should be fixed in the next release. absent-in: r571 present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 fixed-in: r9977 2013-07-09 0.63 Many versions of PuTTY prior to 0.63 have a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication. In order to get as many useful bits as possible out of each division, modmul starts by shifting the modulus left so that its highest set bit appears at the top of a machine word. To correct for that shift in the following calculation, the last thing it does is to shift the entire output value left by the same number of bits, reduce it again, and shift back down. A missing bounds check can cause it to allocate the array it uses to store that output value with too little capacity, with the effect that the bit-shifting process runs off the beginning of the array and corrupts data preceding it in memory. The corrupted data will typically consist of other values involved in the same modular multiplication, and the heap block headers in between them. Since the shifted data is shifted back again immediately after the final modular reduction, this bug would be harmless (though still wrong) except for the fact that one word at the bottom of the data is not shifted back down. By choosing the inputs to modmul to have appropriate lengths relative to each other, that one unrestored word can be made to point at a heap block header. The modmul function is called during validation of any DSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe. We are currently unaware of any way in which this can lead to remote code execution or controlled memory overwriting, since the overwritten heap block cannot be assigned an arbitrary value by the attacker, only shifted left by a chosen number of bits. However, we cannot be sure of that. This bug does not affect RSA keys. This bug was discovered by Mark Wooding. It has been assigned CVE ID CVE-2013-4206. Audit trail for this vulnerability. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================