0x01 vulnerability description
Using putty's pscp components can achieve the Windows and theLinux serverbetween the remote copy of the file. Recently 3 to on 7, broke the pscp in the presence of a buffer overflow vulnerability, when from the server-side copy of the file, the pscp client the sscanf function is not on the the remote server returned an SCP-SINK the size of the file to be checked, when data is received to produce an overflow, thereby triggering a standard stack overflow exploit.
The vulnerabilities disclosed after the putty web site quickly fixed this vulnerability, after the restoration of the version of putty0. 6 and 7. GitHubhas also been the emergence of the corresponding POC file:
Therefore suggested that the putty user as soon as possible to upgrade to the latest version.
This article will be in the POC on the basis of, try to reproduce the vulnerability scenarios and to analyze and take advantage of this vulnerability.
0x02 environment to build
Ø Client OS: WinXP sp3 here in order to facilitate debugging using a xp system
The Putty pscp: version 0.62
Ø server-side python version 2. 7, while need to install python ssh library paramiko
Command: pip install paramiko
In my test of the Kali on the default python install paramiko, but not the latest version, so need to upgrade to the latest version.
Command: git clone <https://github.com/paramiko/paramiko.git>
Into the paramiko directory for installation: python setup.py install
Test paramiko is installed successfully if the installation is successful as shown below.
Ø ensure that poc. py and test_rsa. key in the same directory, because the poc. py needs to read the key file.
随后 运行 poc.py, turn off the SSH Service: service ssh stop must turn off the default SSH service
To open a malicious SSH connection
The client runs pscp, execute the download command:
After entering the password, pscp crash, malicious data to write into the success:
So far, the vulnerability is triggered successfully now!
0x03 vulnerability analysis
Program after a crash, attach Windbg to view the crash site. You can advance through the command Windbg-I will Windbg is set as the default Debugger, so the program crash after Windbg will immediately snap to the exception:
You can see the POC sent a large number of malicious data“AAAA...”in the client to cause a buffer overflow, the program return EIP to be hijacked.
From the collapse of the Start point of the traceback stack, and view the program crashes before the call to the which function:
See the number of suspected return address value, from the overflow point can be seen is definitely in the vicinity of several function causing the overflow, so one by one try to the next, disassemble 0x00406ff7 at the instructions:
With parameters to start PSCP: an scp email@example.com:/etc/passwd .
In the above several call at the following breakpoints:
As can be seen after executing the address 0x00406fd6 at the function, the occurrence of the overflow, therefore it can be concluded that the function is causing the overflow.
By the vulnerability described we know is due to the pscp client the sscanf function is causing the overflow, then the address of the function is sscanf. IDA view under the address of the code: