Mirrors | Updates | Feedback | Changes | Wishlist | Team
Many versions of PuTTY prior to 0.63 have an integer overflow vulnerability in their treatment of string length fields in public-key signatures.
An RSA signature blob contains a multiprecision integer stored as an SSH-2 string, i.e. with a 4-byte length field at the front. Setting this length field to 0xFFFFFFFF (-1) is mistakenly permitted by the signature decoding code due to a missing bounds check, and the effect is that PuTTY allocates zero memory to store the integer in (because it adds one to the length first) and then tries to write zeroes over 4Gb of memory starting from that location.
This bug applies to any RSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.
We are unaware of any way in which this can lead to remote code execution, since it will typically overwrite the entire heap with zeroes and PuTTY is expected to crash almost immediately.
This bug does not affect DSA keys.
This bug was discovered by SEARCH-LAB and documented in their advisory. It has been assigned CVE ID CVE-2013-4852.
Audit trail for this vulnerability.