[3.0] putty: Integer overflow and buffer underrun in terminal emulator's ECH handling (CVE-2015-5309)
A potentially memory-corrupting integer overflow in the handling of ECH
(erase characters) control sequence in the terminal
emulator was found in putty versions between 0.54 and 0.65. To
exploit a vulnerability in the terminal emulator, an attacker
must be able to insert a carefully crafted escape sequence into the
terminal stream. For a PuTTY SSH session,
this must be before encryption, so the attacker likely needs access to
the server the victim is connecting to. For instance,
an attacker on a multi-user machine that you connect to could trick
victim into running cat on a file they control containing a malicious
escape sequence.
The vulnerability arises because PuTTY uses signed integer variables to
hold the number of characters to be erased and doesn’t
adequately check for overflow. This means that by passing a very large
parameter to ECH, an attacker could cause check_boundary
to inspect memory outside the terminal buffer. Were it to find UCSWIDE
there, it would corrupt some nearby memory. This might be
exploitable if the attacker could arrange for UCSWIDE to be in memory
somewhere near a sensitive data structure.
Fixed In Version:
putty 0.66
References:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5309
Patch:
(from redmine: issue id 4912, created on 2015-12-02, closed on 2015-12-04)
- Relations:
- parent #4909 (closed)
- Changesets:
- Revision 084ed17b on 2015-12-03T09:44:13Z:
main/putty: security upgrade to 0.66 (CVE-2015-5309). Fixes #4912