PuTTY vulnerability vuln-ssh1-short-rsa-keys

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Vulnerability: buffer overflow in SSH-1 if server sends two tiny RSA keys
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.43 0.44 0.45 0.46 0.47 0.48 0.49 0.50 0.51 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62 0.63 0.64 0.65 0.66 0.67 0.68 0.69 0.70 0.71
fixed-in: c191ff129cd3415af08143fb40c461de5730655d (0.72)

All versions of the PuTTY suite prior to 0.72 have a memory corruption bug in SSH-1 key exchange, which might lead to a security vulnerability.

During SSH-1 key exchange, the server sends a packet containing an RSA host key and an RSA server key. PuTTY will allocate a buffer the size of the larger key, and then write a random 32-byte session id into it, before encrypting the session id with both keys in sequence.

The bug is triggered if a malicious server sends RSA host and server keys which are both shorter than 32 bytes, in which case the allocated buffer will also be less than 32 bytes, and the initial writing of the session id will overrun the buffer.

We have no evidence that this can be exploited to cause remote code execution. The data written into the too-small buffer is made up by PuTTY, not by the server. But, on the other hand, we don't know that it can't allow code execution.

The bug occurs before host key verification. (PuTTY verifies the host key before performing encryption with it, but unfortunately, not before the initial write into the buffer it's going to encrypt in.) So a network attacker intercepting your connection could attack PuTTY through this vulnerability before being detected as not the real server.

This bug only affects the obsolete SSH-1 protocol, which is rarely used. In PuTTY 0.68 and later, we no longer support automatic fallback to SSH-1 from SSH-2, so any saved session configured to the default of SSH-2 will not be vulnerable to this issue.

This vulnerability was found as part of a bug bounty programme run under the auspices of the EU-FOSSA project.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-07-20 07:44:55 +0100)