PuTTY vulnerability vuln-bignum-division-by-zero

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: Vulnerability: non-coprime values in DSA signatures can cause buffer overflow in modular inverse
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r568
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62
fixed-in: r9996 2013-08-05 0.63

Many versions of PuTTY prior to 0.63 have a buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature.

One step of the DSA signature verification procedure involves computing the modular inverse of the integer s (part of the signature) with respect to the integer q (part of the public key). If s and q have any common factor, this modular inverse cannot exist. Of course, such a signature is invalid (and probably the private key is invalid too), but PuTTY will react to that situation by its bignum code overflowing a buffer when it attempts to divide by zero during Euclid's algorithm.

This bug applies to any DSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.

We are unaware of any way in which this can lead to remote code execution, since there is no control over the data written into the heap.

This bug does not affect RSA keys.

This bug has been assigned CVE ID CVE-2013-4207.

Audit trail for this vulnerability.

If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2013-08-07 09:50:39 +0100)