Nytro Posted March 5, 2016 Report Posted March 5, 2016 VuNote Author: tintinweb@oststrom.com <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563 Version: 0.1 Date: Feb 20th, 2016 Tag: putty pscp client-side post-auth stack buffer overwrite when processing remote file size Overview Name: putty Vendor: sgtatham References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/ [1] Version: 0.66 [2] Latest Version: 0.66 Other Versions: 0.59 [3] (~9 years ago) <= affected <= 0.66 Platform(s): win/nix Technology: c Vuln Classes: stack buffer overwrite (CWE-121) Origin: remote Min. Privs.: post auth CVE: CVE-2016-2563 Description quote website [1] PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. Summary The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution. PoC attached. patch attached. Besides that, two minor issues have been reported in putty packet handling: DoS condition in the parsing of SSH-Strings that lead to a nullptr read. (connect putty to poc and type 'x11exploit' to trigger one occurrence of a crash) DoS condition in the handling of unrequested forwarded-tcpip channels open requests that lead to a nullptr read. (connect putty to poc and type 'forwardedtcpipcrash' to trigger crash) Link: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563 Quote
