Download: Stable · Snapshot | Docs | Changes | Wishlist
Many versions of PuTTY prior to 0.63 have a heap-corrupting buffer
underrun bug in the
modmul function which performs
In order to get as many useful bits as possible out of each division,
modmul starts by shifting the modulus left so that its
highest set bit appears at the top of a machine word. To correct for
that shift in the following calculation, the last thing it does is to
shift the entire output value left by the same number of bits, reduce
it again, and shift back down. A missing bounds check can cause it to
allocate the array it uses to store that output value with too little
capacity, with the effect that the bit-shifting process runs off the
beginning of the array and corrupts data preceding it in memory.
The corrupted data will typically consist of other values involved in
the same modular multiplication, and the heap block headers in between
them. Since the shifted data is shifted back again immediately after
the final modular reduction, this bug would be harmless (though still
wrong) except for the fact that one word at the bottom of the data is
not shifted back down. By choosing the inputs to
modmul to have appropriate lengths relative to each
other, that one unrestored word can be made to point at a heap block
modmul function is called during validation of any
DSA signature received by PuTTY, including during the initial key
exchange phase. Therefore, this bug can be exploited by a malicious
server, before the client has received and verified a host
key signature. So this attack can be performed by a man-in-the-middle
between the SSH client and server, and the normal host key protections
against MITM attacks are bypassed. Even if you trust the server you
think you are connecting to, you are not safe.
We are currently unaware of any way in which this can lead to remote code execution or controlled memory overwriting, since the overwritten heap block cannot be assigned an arbitrary value by the attacker, only shifted left by a chosen number of bits. However, we cannot be sure of that.
This bug does not affect RSA keys.
This bug was discovered by Mark Wooding. It has been assigned CVE ID CVE-2013-4206.