Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	PuTTY Buffer Overflow Vulnerability (SSH2_MSG_DEBUG) 28 Oct. 2004    Summary PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. Remote exploitation of a buffer overflow vulnerability in Simon Tatham's PuTTY can allow attackers to execute arbitrary code.   Credit: The information has been provided by iDEFENSE. The original article can be found at: www.idefense.com/application/poi/display?id=155&type=vulnerabilities Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * PuTTY Version 0.55 (probably prior versions as well) Immune Systems:  * PuTTY Version 0.56 The vulnerability specifically exists due to insufficient bounds checking on SSH2_MSG_DEBUG packets. The 'stringlen' parameter is given a user-supplied value by reading in an integer from an offset in the packet data. The 'stringlen' value is incorrectly checked due to signedness issues as seen below. Vulnerable Code: static int ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen) {   struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;   ...   switch (ssh->pktin.type) {         ...          case SSH2_MSG_DEBUG:              {                 char buf[512];                 int stringlen = GET_32BIT(ssh->pktin.data+7);                         int prefix;                         strcpy(buf, "Remote debug message: ");                         prefix = strlen(buf);                         if (stringlen > (int)(sizeof(buf)-prefix-1))                         stringlen = sizeof(buf)-prefix-1; [!] memcpy(buf + prefix,                                 ssh->pktin.data + 11, stringlen);                         buf[prefix + stringlen] = '\0';                         logevent(buf);                  } The following debugger output shows successful control of program execution: EAX CC004019 ECX 00401909 putty.00401909 EDX 7C9037D8 ntdll.7C9037D8 EBX 00000000 ESP 00129FC8 EBP 00129FDC ESI 0012A0A4 EDI 7C9037BF ntdll.7C9037BF EIP 0012FFBA SEH chain of main thread AddressSE handler 0012FFB0putty.00401905 Log data, item 0 Address=0012FFB9 Message=INT3 command at 0012FFB9 Exploitation allows remote attackers to execute arbitrary code under the privileges of the user running PuTTY. The client must be directed to connect to a malicious server in order to trigger the vulnerability. Vendor Status: PuTTY 0.56 addresses this problem and is available for download at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Disclosure Timeline: 10/21/2004 Initial vendor notification 10/21/2004 iDEFENSE clients notified 10/22/2004 Initial vendor response 10/27/2004 Public disclosure  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability Internet Explorer Select Element Cache Code Execution Vulnerability Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability Microsoft Internet Explorer Protected Mode Bypass Vulnerability Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®