PuTTY vulnerability vuln-signature-stringlen

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Vulnerability: negative string length in public-key signatures can cause integer overflow and overwrite all of memory
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r968
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62
fixed-in: r9896 8b6a8b617f0720d8c17cc2a505ca1371286ada58 2013-07-09 0.63

Many versions of PuTTY prior to 0.63 have an integer overflow vulnerability in their treatment of string length fields in public-key signatures.

An RSA signature blob contains a multiprecision integer stored as an SSH-2 string, i.e. with a 4-byte length field at the front. Setting this length field to 0xFFFFFFFF (-1) is mistakenly permitted by the signature decoding code due to a missing bounds check, and the effect is that PuTTY allocates zero memory to store the integer in (because it adds one to the length first) and then tries to write zeroes over 4Gb of memory starting from that location.

This bug applies to any RSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.

We are unaware of any way in which this can lead to remote code execution, since it will typically overwrite the entire heap with zeroes and PuTTY is expected to crash almost immediately.

This bug does not affect DSA keys.

This bug was discovered by SEARCH-LAB and documented in their advisory. It has been assigned CVE ID CVE-2013-4852.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-21 07:16:27 +0000)