PuTTY vulnerability vuln-win-pageant-client-missing-length-check

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Vulnerability: Windows Pageant client code does not check response length field
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.50 0.51 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 0.63 0.64 0.65 0.66 0.67 0.68 0.69 0.70 0.71
fixed-in: b38d47e94cf6848dddeaa7aa50301456130715a9 (0.72)

On Windows, when a PuTTY SSH client program sends a request to Pageant, the code that receives the response from Pageant in a shared memory buffer was not doing any range checking on the length field stored at the start of that buffer.

So if a malicious program is playing the role of Pageant, or has taken over an existing Pageant by some method, then it can deliberately send an out-of-range response, to attempt to induce uncontrolled memory reading or overlarge memory allocation by the client program.

This affects all the SSH client tools in the PuTTY suite: PuTTY itself, Plink, PSCP and PSFTP.

We're not sure to what extent this bug is exploitable.

Also, even if it is exploitable, we think this bug is only even worth exploiting under unusual circumstances. Normally, Pageant has all the most valuable secrets in it, so if someone is in a position to take it over then they probably don't need to attack PuTTY through it afterwards. But it's just possible that malware that gets on to the machine by other means might set itself up to mimic Pageant, if the user isn't already running a real one, and then try to attack instances of PuTTY when they do their routine check of Pageant. Also, if PuTTY (but not Pageant) is running with elevated privilege, then a malicious Pageant may be able to escalate its own privilege if it can successfully attack the elevated PuTTY.

This vulnerability was found as part of a bug bounty programme run under the auspices of the EU-FOSSA project.

If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-07-20 07:44:55 +0100)