CVE-2005-0467
CVSS7.5
发布时间 :2005-02-21 00:00:00
修订时间 :2008-09-05 16:46:22
NMCOP    

[原文]Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated.


[CNNVD]PuTTY SFTP客户端包解析整数溢出漏洞(CNNVD-200502-076)

        PuTTY是一款免费的Telnet和SSH客户端实现,可使用在Win32平台下。
        PuTTY 0.56 PSFTP PSCP 客户端中的(1) sftp_pkt_getstring (2) fxp_readdir_recv 函数 允许远程的恶意网站通过SFTP响应造成的堆错误而执行任意的代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0467
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0467
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-076
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=201&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050221 Multiple PuTTY SFTP Client Packet Parsing Integer Overflow Vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200502-28.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200502-28
http://secunia.com/advisories/14333
(VENDOR_ADVISORY)  SECUNIA  14333
http://xforce.iss.net/xforce/xfdb/19403
(UNKNOWN)  XF  putty-sftppktgetstring-bo(19403)
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html
(VENDOR_ADVISORY)  CONFIRM  http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html
(VENDOR_ADVISORY)  CONFIRM  http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html
http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416
http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414
http://secunia.com/advisories/17214
(UNKNOWN)  SECUNIA  17214

- 漏洞信息

PuTTY SFTP客户端包解析整数溢出漏洞
高危 缓冲区溢出
2005-02-21 00:00:00 2005-10-20 00:00:00
远程  
        PuTTY是一款免费的Telnet和SSH客户端实现,可使用在Win32平台下。
        PuTTY 0.56 PSFTP PSCP 客户端中的(1) sftp_pkt_getstring (2) fxp_readdir_recv 函数 允许远程的恶意网站通过SFTP响应造成的堆错误而执行任意的代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.chiark.greenend.org.uk/~sgtatham/putty/

- 漏洞信息 (F36266)

iDEFENSE Security Advisory 2005-02-21.3 (PacketStormID:F36266)
2005-02-26 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary,vulnerability
CVE-2005-0467
[点击下载]

iDEFENSE Security Advisory 02.21.05 - Remote exploitation of multiple integer overflow vulnerabilities in Simon Tatham's PuTTY can allow attackers to execute arbitrary code. Version 0.56 is verified as vulnerable.

Multiple PuTTY SFTP Client Packet Parsing Integer Overflow
Vulnerabilities 

iDEFENSE Security Advisory 02.21.05:
www.idefense.com/application/poi/display?id=201&type=vulnerabilities
February 21, 2005

I. BACKGROUND

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
platforms, along with an xterm terminal emulator.

More information is available on the vendor's website:
http://www.chiark.greenend.org.uk/~sgtatham/putty/

II. DESCRIPTION

Remote exploitation of multiple integer overflow vulnerabilities in 
Simon Tatham's PuTTY can allow attackers to execute arbitrary code.

The first vulnerability specifically exists due to insufficient 
validation of user-supplied data passed to a memcpy function. The PuTTY 
sftp implementation allows attackers to supply arbitrary values for the 
stored length of the string in the packet. This may be observed in the 
sftp_pkt_getstring() function from sftp.c in PuTTY source code:

static void sftp_pkt_getstring(struct sftp_packet *pkt,
                               char **p, int *length)
{                              
    *p = NULL;
    if (pkt->length - pkt->savedpos < 4)
        return;        
    /* length value is taken from user-supplied data */
    *length = GET_32BIT(pkt->data + pkt->savedpos);
    pkt->savedpos += 4;
    /* this check will be passed if length < 0 */
    if (pkt->length - pkt->savedpos < *length)  
        return;                                  
    *p = pkt->data + pkt->savedpos;
    pkt->savedpos += *length;
}

This function is called from fxp_open_recv() and passes the returned 
string pointer and string length to the mkstr() function:


struct fxp_handle *fxp_open_recv(struct sftp_packet *pktin,
                 struct sftp_request *req)
{
    ...
    /* sftp_pkt_getstring call with controlled len value */
    sftp_pkt_getstring(pktin, &hstring, &len);  
    ...
    handle = snew(struct fxp_handle);
    /* heap corruption will occur if len == -1 */
    handle->hstring = mkstr(hstring, len);      
    handle->hlen = len;
    sftp_pkt_free(pktin);
    return handle;
    ...
}

If length is passed as -1, a malloc(0) will occur when the snewn() macro 
is called:

static char *mkstr(char *s, int len)
{
    /* malloc(0) if len == -1 */
    char *p = snewn(len + 1, char);  
    /* user controlled heap corruption */
    memcpy(p, s, len);
    p[len] = '\0';
    return p;
}

Finally, when the memcpy function is called heap corruption will occur
leading to potential code execution.

The second vulnerability specifically exists due to insufficient
validation of user-supplied data passed to a malloc function. This may 
be observed in the fxp_readdir_recv() function from PuTTY source code:

struct fxp_names *fxp_readdir_recv(struct sftp_packet *pktin,
                                   struct sftp_request *req) {
        /* 32 bit value from packet */
        ret->nnames = sftp_pkt_getuint32(pktin);
        /*
         * The integer overflow occurs when ret->nnames is referenced
         * the snewn macro calls malloc() wrapper
         * #define snewn(n, type) ((type *)smalloc((n)*sizeof(type)))
         */
        ret->names = snewn(ret->nnames, struct fxp_name);
        for (i = 0; i < ret->nnames; i++) {
            char *str;
            int len;
            sftp_pkt_getstring(pktin, &str, &len);
            /* pointer to arbitrary data from packet */
            ret->names[i].filename = mkstr(str, len);
            sftp_pkt_getstring(pktin, &str, &len);
            /* pointer to arbitrary data from packet */
            ret->names[i].longname = mkstr(str, len);
            /* pointer to arbitrary data from packet */
            ret->names[i].attrs = sftp_pkt_getattrs(pktin);
    }

This function is called from scp_get_sink_action() in scp.c and 
sftp_cmd_ls() in sftp.c and can lead to remote code execution via heap 
corruption. Sample debugger output of heap corruption is shown below:

psftp> ls
Listing directory /home/test

Program received signal SIGSEGV, Segmentation fault.
0x4009173c in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x4009173c in memcpy () from /lib/libc.so.6
#1  0x0805675f in mkstr (s=0x4e20 <Address 0x4e20 out of bounds>, len=0)
#2  0x0805748e in fxp_readdir_recv (pktin=0x809bc10, req=0x4e20)
#3  0x0804f7b8 in sftp_cmd_ls (cmd=0x4e20) at ../psftp.c:251
#4  0x08051955 in do_sftp (mode=0, modeflags=0, batchfile=0x0)
#5  0x080525f8 in psftp_main (argc=4, argv=0xbffff494)
#6  0x08080500 in main (argc=20000, argv=0x4e20)
(gdb) up 2
#2  0x0805748e in fxp_readdir_recv (pktin=0x809bc10, req=0x4e20)
952                 ret->names[i].filename = mkstr(str, len);
(gdb) x/8x *(int)pktin
0x80acc58:  0x01000068  0x66666600  0x00000067  0x42424208
0x80acc68:  0x42424242  0x00000042  0x44444408  0x44444444
(gdb) print (struct sftp_packet)pktin
$2 = {data = 0x809bc10 "X    

- 漏洞信息

14002
PuTTY fxp_readdir_recv() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in PuTTY. The 'fxp_readdir_recv()' function fails to perform proper bounds checking resulting in an integer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-02-20 Unknow
Unknow 2005-02-21

- 解决方案

Upgrade to version 0.57 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站