PuTTY vulnerability vuln-indirect-dll-hijack

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Potential malicious code execution via indirect DLL hijacking
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
fixed-in: 9398d230339d5bfaa94093af89a17abf33b5dfad 2016-07-19 (0.68)

On some versions of Windows, all versions of the PuTTY tools up to and including 0.67 [BUT NOT ONLY THOSE – see below] can end up loading DLLs from the local directory which contains the PuTTY executables.

2017-04-28: further problems of this form came to light after 0.68 was released, so 0.68 is STILL VULNERABLE. See vuln-indirect-dll-hijack-2 for documentation of the additional problems.

This can be a problem if that is an uncontrolled location, such as a browser download directory. If an attacker tricked a user into downloading a malicious DLL and then the user then ran any PuTTY tool directly from their download directory, code in the attacker's DLL could run in the PuTTY process. (This is more likely than it sounds because at least some versions of some browsers have allowed websites to drop files into download directories without asking, as described in this blog post.)

We have verified this behaviour ourselves on Windows 7 and Windows 2008.

This isn't an issue when the PuTTY tools have been installed properly, as attackers should not have the opportunity to get their DLLs into the Program Files directory or elsewhere on the search path (or rather, if they can, you probably have bigger problems).

However, the PuTTY installer .exe itself suffered from the same vulnerability up to and including 0.67, so running that directly from a browser download directory could also have led to compromise. The MSI installer, which debuted with 0.67, does not have this problem, and 0.68's .exe installer does not either.

This bug in the PuTTY executables was reported by Sachin Wagh and has been assigned CVE ID CVE-2016-6167. The equivalent vulnerability in the PuTTY .exe installer was reported to us by Stefan Kanthak.

Vulnerability and mitigation details: While PuTTY had already been somewhat careful about where it explicitly loaded DLLs from since 0.61 (r8993, r9003) after the last time this came up, that doesn't help when those DLLs themselves load DLLs, which is the weakness here. The demonstration used the DLL names UxTheme.dll / ntmarta.dll, which are apparently sought by standard bits of Windows.

This has been remedied in the PuTTY executables by calling the SetDefaultDllDirectories() function, on versions of Windows where that is available; that is fully-patched Windows Vista and up (the Microsoft security update KB2533623 from 2014 is required on Vista, 7, and 2008). The mitigation is not available on unpatched or older versions of Windows, for which the only remedy is not to run the PuTTY tools from untrusted locations.

The fix for the .exe installer's version of this vulnerability was to upgrade our copy of Inno Setup to 5.5.9, which contains their similar mitigation.

Microsoft has some guidance about this class of vulnerability.

If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2021-07-03 11:50:19 +0100)