PuTTY vulnerability vuln-fd-set-overflow

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Buffer overflow in Unix PuTTY tools if server opens too many port forwardings
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: 0.53b
fixed-in: 5c926d9ea4a9e0a0a2384f06c7583648cdff3ed6 0.71

Up to and including version 0.70, the Unix PuTTY tools used select(2) to watch their collections of active Unix file descriptors for activity.

This involves putting all the file descriptors into a variable of type fd_set, using the OS-provided macro FD_SET. Unfortunately, FD_SET does not bounds-check the input file descriptor. So if any PuTTY tool encountered an fd greater than or equal to FD_SETSIZE (typically 1024), then not only would it be unable to monitor that file descriptor, but it would suffer a buffer overflow in the attempt, overwriting other variables on the stack.

We don't know if this was remotely exploitable, but it could at least be remotely triggered by a malicious SSH server, if you enabled any of the options that allow the server to open a channel:

As of 0.71, all the Unix PuTTY tools have switched to monitoring file descriptors using poll(2), which does not have this API bug.

This vulnerability was found by Teguh P. Alko, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. It has been assigned CVE ID CVE-2019-9895.

If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-25 20:23:34 +0000)