Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist
When PuTTY tries to do public-key SSH authentication using a key held in the SSH agent, it retrieves a list of the keys held in the agent, and iterates through them one by one to see which one the server will accept.
PuTTY first sends an offer message, containing just the public key and no signature. If the server is unwilling to accept that key as identifying the target user, it usually sends back a message rejecting the offer, which saves the client the trouble of making a pointless signature. So normally PuTTY iterates through the keys making offers until it finds one (if any) that the server is willing to accept, and then it generates a signature, and the server accepts that signature.
However, it's also possible for the server to accept the key in principle (replying positively to the initial offer) but then reject the actual signature when it is presented. This can happen if the client has a bug causing it to generate an invalid signature, or if the server has a bug causing it to mistakenly think a signature is invalid, or the server can even do it on purpose if it wants to (e.g. to avoid allowing unauthorised clients to cheaply query what keys are acceptable).
In this situation, PuTTY has a bug, because it has a single
agent_response variable storing the most recent response
sent by the SSH agent, and it leaves the key list in that variable
while iterating over it. So once the server responds positively to a
key offer, PuTTY asks the SSH agent to generate a signature, which
will be stored in the same
agent_response variable, whose
previous contents (the key list) will be freed. Then, if the server
rejects the signature, PuTTY tries to go back to iterating over the
key list, failing to notice that it has now been freed.
We don't know that this can be exploited controllably, but it is
certainly a bug that can be deliberately triggered by a server (by
PK_OK acceptance message to all offers, and
then rejecting all signatures).
0.74 fixes it, by having PuTTY immediately copy the key list out of
agent_response to somewhere safer. Then the later use of
agent_response to retrieve a signature does not collide
with the key list.
This vulnerability was discovered by the PuTTY team themselves in the course of development.