Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610552 (CVE-2017-6542) - <net-misc/putty-0.68: integer overflow permits memory overwrite by forwarded ssh-agent connections
Summary: <net-misc/putty-0.68: integer overflow permits memory overwrite by forwarded ...
Status: RESOLVED FIXED
Alias: CVE-2017-6542
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.chiark.greenend.org.uk/~sg...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-22 12:22 UTC by Thomas Deutschmann
Modified: 2017-03-19 18:50 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/putty-0.68
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-02-22 12:22:04 UTC
From $URL:

Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection. 

The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow. 

Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker. 

If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command 
(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
and PuTTY will crash. 
This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent. 

This vulnerability was reported by Tim Kosse. 



Upstream patch:

https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4ff22863d895cb7ebfced4cf923a012a614adaa8
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-02-22 12:24:04 UTC
@ Maintainer(s): Please bump to >=net-misc/putty-0.68.
Comment 2 Jeroen Roovers gentoo-dev 2017-02-22 16:36:50 UTC
Arch teams, please test and mark stable:
=net-misc/putty-0.68
Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Jeroen Roovers gentoo-dev 2017-02-23 09:16:22 UTC
Stable for HPPA PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-23 15:55:55 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-23 16:31:24 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-24 14:09:59 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-25 10:05:51 UTC
sparc stable
Comment 8 Tobias Klausmann gentoo-dev 2017-02-28 11:24:09 UTC
Stable on alpha.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-07 21:43:48 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 18:50:13 UTC
This issue was resolved and addressed in
 GLSA 201703-03 at https://security.gentoo.org/glsa/201703-03
by GLSA coordinator Thomas Deutschmann (whissi).