Arch Linux Security Advisory ASA-201511-7
========================================
Severity: Medium
Date    : 2015-11-12
CVE-ID  : CVE-2015-5309
Package : putty
Type    : arbitrary code execution
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package putty before version 0.66-1 is vulnerable to an integer
overflow that results in denial of service or, under certain
circumstances, could potentially lead to arbitrary code execution.

Resolution
=========
Upgrade to 0.66-1.

# pacman -Syu "putty>=0.66-1"

The problem has been fixed upstream in version 0.66.

Workaround
=========
None.

Description
==========
A potential memory-corrupting integer overflow has been discovered in
the handling of the ECH (erase characters) control sequence in the
terminal emulator.

To exploit a vulnerability in the terminal emulator, an attacker must be
able to insert a carefully crafted escape sequence into the terminal
stream. For a PuTTY SSH session, this must be before encryption, so the
attacker likely needs access to the server you're connecting to. For
instance, an attacker on a multi-user machine that you connect to could
trick you into running cat on a file they control containing a malicious
escape sequence. (Unix write(1) is not a vector for this, if implemented
correctly.)

The purpose of ECH is to erase multiple characters within a single line.
To this end, it includes a numeric parameter to specify the number of
characters to be erased. PuTTY accumulates this one digit at a time in
an integer variable. As part of the processing of ECH, the
check_boundary function checks whether the start or end of the erased
range falls in the middle of a double-width character (such as a kanji
ideograph) so that it can ensure that the whole character is erased.
Each character cell in the live terminal is held as a structure
containing among other things the character code and a word of
attributes. A double-width character is recorded by having a special
value called UCSWIDE as the character code in the second cell, and when
check_boundary detects that value, it resets the character code of both
cells to a fixed value and copies the attributes from the left one to
the right one.

The vulnerability arises because PuTTY uses signed integer variables to
hold the number of characters to be erased and doesn't adequately check
for overflow. This means that by passing a very large parameter to ECH,
an attacker could cause check_boundary to inspect memory outside the
terminal buffer. Were it to find UCSWIDE there, it would corrupt some
nearby memory. This might be exploitable if the attacker could arrange
for UCSWIDE to be in memory somewhere near a sensitive data structure.

Impact
=====
An attacker is able to prepare a specially crafted file and trick the
victim on the same local machine to output the malicious escape sequence
(for example via cat) to trigger an integer overflow that is resulting
in memory corruption ultimately leading to either denial of service or,
under certain circumstances, potentially arbitrary code execution.

References
=========
https://access.redhat.com/security/cve/CVE-2015-5309
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html

ArchLinux: 201511-7: putty: arbitrary code execution

November 12, 2015

Summary

A potential memory-corrupting integer overflow has been discovered in the handling of the ECH (erase characters) control sequence in the terminal emulator. To exploit a vulnerability in the terminal emulator, an attacker must be able to insert a carefully crafted escape sequence into the terminal stream. For a PuTTY SSH session, this must be before encryption, so the attacker likely needs access to the server you're connecting to. For instance, an attacker on a multi-user machine that you connect to could trick you into running cat on a file they control containing a malicious escape sequence. (Unix write(1) is not a vector for this, if implemented correctly.)
The purpose of ECH is to erase multiple characters within a single line. To this end, it includes a numeric parameter to specify the number of characters to be erased. PuTTY accumulates this one digit at a time in an integer variable. As part of the processing of ECH, the check_boundary function checks whether the start or end of the erased range falls in the middle of a double-width character (such as a kanji ideograph) so that it can ensure that the whole character is erased. Each character cell in the live terminal is held as a structure containing among other things the character code and a word of attributes. A double-width character is recorded by having a special value called UCSWIDE as the character code in the second cell, and when check_boundary detects that value, it resets the character code of both cells to a fixed value and copies the attributes from the left one to the right one.
The vulnerability arises because PuTTY uses signed integer variables to hold the number of characters to be erased and doesn't adequately check for overflow. This means that by passing a very large parameter to ECH, an attacker could cause check_boundary to inspect memory outside the terminal buffer. Were it to find UCSWIDE there, it would corrupt some nearby memory. This might be exploitable if the attacker could arrange for UCSWIDE to be in memory somewhere near a sensitive data structure.

Resolution

Upgrade to 0.66-1. # pacman -Syu "putty>=0.66-1"
The problem has been fixed upstream in version 0.66.

References

https://access.redhat.com/security/cve/CVE-2015-5309 https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html

Severity
Package : putty
Type : arbitrary code execution
Remote : No
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved