
====================================================================

                               CERT-Renater

                    Note d'Information No. 2016/VULN093
_____________________________________________________________________

DATE                : 07/03/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PuTTY versions prior to 0.67.

======================================================================
http://www.chiark.greenend.org.uk/~sgtatham/putty/
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
_____________________________________________________________________

2016-03-05 PuTTY 0.67 released, fixing a SECURITY HOLE

PuTTY 0.67, released today, fixes a security hole in 0.65 and before:
vuln-pscp-sink-sscanf. It also contains a few other small bug fixes.

Also, for the first time, the Windows executables in this release
(including the installer) are signed using an Authenticode certificate,
to help protect against tampering in transit from our website or after
downloading. You should find that they list "Simon Tatham" as the
verified publisher.

_____________________________________________________________________

PuTTY vulnerability vuln-pscp-sink-sscanf


summary: Vulnerability: old-style scp downloads may allow remote
code execution

class: vulnerability: This is a security vulnerability.

difficulty: fun: Just needs tuits, and not many of them.

priority: high: This should be fixed in the next release.

present-in: 0.66

fixed-in: 0.67

Many versions of PSCP prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e.
downloading from server to client) of the old-style SCP protocol.

In order for this vulnerability to be exploited, the user must
connect to a malicious server and attempt to download any file.

(Note however that the vulnerability kicks in after host key
verification, so the host key of the server has to have been
accepted to get this far.)

This vulnerability only arises in the old SCP protocol, so you
can work around it in a vulnerable PSCP by using the -sftp option
to force the use of the newer SFTP protocol, provided your server
supports that protocol.

This bug was discovered by tintinweb and has been assigned CVE ID
CVE-2016-2563.

Vulnerability details: Prior to any download in the SCP sink protocol,
the server sends a line of text consisting of an octal number encoding
Unix file permissions, a decimal number encoding the file size, and the
file name. Since the file size can exceed 232 bytes, and in some
compilation configurations of PuTTY the host platform's largest integer
type is only 32 bits wide, PuTTY extracts the decimal file size into a
temporary string variable to send to its own 64-bit decimal decoding
function. Unfortunately, that extraction was done carelessly, using a
sscanf with no length limit, permitting a buffer overrun

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================