mailing list archives
PuTTY SSH handshake heap overflow
From: Gergely Eberhardt <gergely.eberhardt () search-lab hu>
Date: Mon, 05 Aug 2013 11:13:12 +0200
PuTTY SSH handshake heap overflow (CVE-2013-4852)
PuTTY versions 0.62 and earlier - as well as all software that
integrates these versions of PuTTY - are vulnerable to an integer overflow
leading to heap overflow during the SSH handshake before authentication,
by improper bounds checking of the length parameter received from the
This allows remote attackers to cause denial of service, and may have more
severe impact on the operation of software that uses PuTTY code.
Affected software products:
- PuTTY up to and including 0.62
- WinSCP before 5.1.6
- all other software that uses vulnerable (revision 9895 or earlier)
A malformed size value in the SSH handshake could cause an integer
the getstring() function in sshrsa.c and sshdss.c read the handshake
length without checking that it was not a negative number.
Specifically, the bignum_from_bytes() function invoked by getstring()
data buffer along with its length represented by a signed integer
performed the following arithmetical operation before allocating memory
w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /*
result = newbn(w);
If the value of nbytes was -1 (0xffffffff), the value of w would
overflow to a
very small positive number (depending on the value of BIGNUM_INT_BYTES),
newbn() to reserve a very small memory area. Then a large number of
be copied into the data buffer afterwards, resulting in a heap overflow.
Similarly, if nbytes was chosen so that w would be -1, the newbn() function
would allocate zero bytes in memory via snewn() and attempt to write the
the Bignum (in four bytes) into the allocated zero-byte area, also
a heap overflow.
In the standalone PuTTY client the attacker does not have precise
the memory corruption, so this bug can only cause a local denial-of-service
(crash). However, in other software that uses PuTTY code, such heap
could have more severe effects. Specifically in case of WinSCP, this
vulnerability could potentially lead to code execution due to the exception
handling employed by the program.
This vulnerability has been fixed in the development version of PuTTY
developers using PuTTY code are recommended to use revision 9896 or later.
The potential code execution vulnerability has been addressed in WinSCP
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)
- PuTTY SSH handshake heap overflow Gergely Eberhardt (Aug 05)