PuTTY vulnerability vuln-agent-keylist-used-after-free

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist

summary: Key list from agent used after free if server rejects signature after PK_OK
class: vulnerability: This is a security vulnerability.
difficulty: tricky: Needs many tuits.
priority: high: This should be fixed in the next release.
absent-in: 0.53
fixed-in: 45287b627d1b1c4db4c7bd485a5adcc63b8d608a 0.74

When PuTTY tries to do public-key SSH authentication using a key held in the SSH agent, it retrieves a list of the keys held in the agent, and iterates through them one by one to see which one the server will accept.

PuTTY first sends an offer message, containing just the public key and no signature. If the server is unwilling to accept that key as identifying the target user, it usually sends back a message rejecting the offer, which saves the client the trouble of making a pointless signature. So normally PuTTY iterates through the keys making offers until it finds one (if any) that the server is willing to accept, and then it generates a signature, and the server accepts that signature.

However, it's also possible for the server to accept the key in principle (replying positively to the initial offer) but then reject the actual signature when it is presented. This can happen if the client has a bug causing it to generate an invalid signature, or if the server has a bug causing it to mistakenly think a signature is invalid, or the server can even do it on purpose if it wants to (e.g. to avoid allowing unauthorised clients to cheaply query what keys are acceptable).

In this situation, PuTTY has a bug, because it has a single agent_response variable storing the most recent response sent by the SSH agent, and it leaves the key list in that variable while iterating over it. So once the server responds positively to a key offer, PuTTY asks the SSH agent to generate a signature, which will be stored in the same agent_response variable, whose previous contents (the key list) will be freed. Then, if the server rejects the signature, PuTTY tries to go back to iterating over the key list, failing to notice that it has now been freed.

We don't know that this can be exploited controllably, but it is certainly a bug that can be deliberately triggered by a server (by sending the PK_OK acceptance message to all offers, and then rejecting all signatures).

0.74 fixes it, by having PuTTY immediately copy the key list out of agent_response to somewhere safer. Then the later use of agent_response to retrieve a signature does not collide with the key list.

This vulnerability was discovered by the PuTTY team themselves in the course of development.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2020-06-27 08:16:18 +0100)