ID PACKETSTORM:142870 Type packetstorm Reporter Tim Kosse Modified 2017-06-08T00:00:00
Description
`Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html
summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.67
fixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)
Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.
The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.
Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer a but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.
If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command
(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
and PuTTY will crash.
This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.
This vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.
`
{"sourceHref": "https://packetstormsecurity.com/files/download/142870/puttysshagent-overflow.txt", "bulletinFamily": "exploit", "viewCount": 10, "reporter": "Tim Kosse", "references": [], "description": "", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "0687b3f654d959153bf5ab181bb28358"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "ac1354c1203d0160907838a72f4bf5bb"}, {"key": "modified", "hash": "c05422d5f61f2a30debea323773b233d"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "c05422d5f61f2a30debea323773b233d"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4192d4924abaf1cf57c5428e7638a505"}, {"key": "sourceData", "hash": "8c7c7b73ce562da781b91c05f43d3efc"}, {"key": "sourceHref", "hash": "d733dadcc99af2de0df0d5d5447becbf"}, {"key": "title", "hash": "a905e9ce7a4294445c943169237cefad"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "href": "https://packetstormsecurity.com/files/142870/PuTTY-ssh_agent_channel_data-Integer-Overflow.html", "modified": "2017-06-08T00:00:00", "objectVersion": "1.2", "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2017-06-09T06:20:38"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-6542"]}, {"type": "gentoo", "idList": ["GLSA-201706-09", "GLSA-201703-03"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201703-03.NASL", "OPENSUSE-2017-354.NASL", "GENTOO_GLSA-201706-09.NASL", "FEDORA_2017-EFDD962FEE.NASL", "FREEBSD_PKG_9B973E970A9911E7ACE7080027EF73EC.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27916"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872892"]}, {"type": "freebsd", "idList": ["9B973E97-0A99-11E7-ACE7-080027EF73EC"]}, {"type": "exploitdb", "idList": ["EDB-ID:42137"]}], "modified": "2017-06-09T06:20:38"}, "vulnersScore": 7.1}, "id": "PACKETSTORM:142870", "title": "PuTTY ssh_agent_channel_data Integer Overflow", "hash": "ea8bbc750ec8bc308664211dd40f04b224eaf06a7323eaf8c7be4b1943d04f61", "edition": 1, "published": "2017-06-08T00:00:00", "type": "packetstorm", "history": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2017-6542"], "lastseen": "2017-06-09T06:20:38", "sourceData": "`Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html \n \nsummary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections \nclass: vulnerability: This is a security vulnerability. \ndifficulty: fun: Just needs tuits, and not many of them. \npriority: high: This should be fixed in the next release. \npresent-in: 0.67 \nfixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68) \n \nMany versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection. \n \nThe agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow. \n \nHence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer a but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker. \n \nIf your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command \n \n(echo -ne '\\xFF\\xFF\\xFF\\xFD\\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK \n \nand PuTTY will crash. \n \nThis bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent. \n \nThis vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542. \n \n \n`\n"}
{"cve": [{"lastseen": "2019-05-29T18:17:08", "bulletinFamily": "NVD", "description": "The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact via a large length value in an agent protocol message and leveraging the ability to connect to the Unix-domain socket representing the forwarded agent connection, which trigger a buffer overflow.", "modified": "2018-10-30T16:27:00", "id": "CVE-2017-6542", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6542", "published": "2017-03-27T17:59:00", "title": "CVE-2017-6542", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2017-06-06T09:13:54", "bulletinFamily": "unix", "description": "### Background\n\nFileZilla is an open source FTP client.\n\n### Description\n\nFileZilla is affected by the same vulnerability as reported in \u201cGLSA 201703-03\u201d because the package included a vulnerable copy of PuTTY. Please read the GLSA for PuTTY referenced below for details. \n\n### Impact\n\nA remote attacker, utilizing the SSH agent forwarding of an SSH server, could execute arbitrary code with the privileges of the user running FileZilla or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll FileZilla users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-ftp/filezilla-3.25.2\"", "modified": "2017-06-06T00:00:00", "published": "2017-06-06T00:00:00", "href": "https://security.gentoo.org/glsa/201706-09", "id": "GLSA-201706-09", "title": "FileZilla: Buffer overflow", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-03-19T19:16:56", "bulletinFamily": "unix", "description": "### Background\n\nPuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator. \n\n### Description\n\nA heap-corrupting buffer overflow bug in the ssh_agent_channel_data function of PuTTY was found. \n\n### Impact\n\nA remote attacker, utilizing the SSH agent forwarding of an SSH server, could execute arbitrary code with the privileges of the user running the client or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll PuTTY users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/putty-0.68\"", "modified": "2017-03-19T00:00:00", "published": "2017-03-19T00:00:00", "href": "https://security.gentoo.org/glsa/201703-03", "id": "GLSA-201703-03", "type": "gentoo", "title": "PuTTY: Buffer overflow", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-12-13T08:17:57", "bulletinFamily": "scanner", "description": "This update to putty 0.68 fixes the following security issue :\n\n - CVE-2017-6542: If SSH agent forwarding is enabled, local\n attackers that are also able to connect to the UNIX\n domain socket could have overwritten heap data\n (boo#1029256)", "modified": "2019-12-02T00:00:00", "id": "OPENSUSE-2017-354.NASL", "href": "https://www.tenable.com/plugins/nessus/97818", "published": "2017-03-20T00:00:00", "title": "openSUSE Security Update : putty (openSUSE-2017-354)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-354.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97818);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/04/10 16:10:18\");\n\n script_cve_id(\"CVE-2017-6542\");\n\n script_name(english:\"openSUSE Security Update : putty (openSUSE-2017-354)\");\n script_summary(english:\"Check for the openSUSE-2017-354 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update to putty 0.68 fixes the following security issue :\n\n - CVE-2017-6542: If SSH agent forwarding is enabled, local\n attackers that are also able to connect to the UNIX\n domain socket could have overwritten heap data\n (boo#1029256)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1029256\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected putty packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:putty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:putty-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:putty-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"putty-0.68-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"putty-debuginfo-0.68-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"putty-debugsource-0.68-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"putty-0.68-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"putty-debuginfo-0.68-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"putty-debugsource-0.68-12.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"putty / putty-debuginfo / putty-debugsource\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:34:20", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201706-09\n(FileZilla: Buffer overflow)\n\n FileZilla is affected by the same vulnerability as reported in “GLSA\n 201703-03” because the package included a vulnerable copy of PuTTY.\n Please read the GLSA for PuTTY referenced below for details.\n \nImpact :\n\n A remote attacker, utilizing the SSH agent forwarding of an SSH server,\n could execute arbitrary code with the privileges of the user running\n FileZilla or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-12-02T00:00:00", "id": "GENTOO_GLSA-201706-09.NASL", "href": "https://www.tenable.com/plugins/nessus/100652", "published": "2017-06-07T00:00:00", "title": "GLSA-201706-09 : FileZilla: Buffer overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201706-09.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100652);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2019/04/10 16:10:17\");\n\n script_cve_id(\"CVE-2017-6542\");\n script_xref(name:\"GLSA\", value:\"201706-09\");\n\n script_name(english:\"GLSA-201706-09 : FileZilla: Buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201706-09\n(FileZilla: Buffer overflow)\n\n FileZilla is affected by the same vulnerability as reported in “GLSA\n 201703-03” because the package included a vulnerable copy of PuTTY.\n Please read the GLSA for PuTTY referenced below for details.\n \nImpact :\n\n A remote attacker, utilizing the SSH agent forwarding of an SSH server,\n could execute arbitrary code with the privileges of the user running\n FileZilla or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201703-03\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201706-09\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All FileZilla users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-ftp/filezilla-3.25.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:filezilla\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-ftp/filezilla\", unaffected:make_list(\"ge 3.25.2\"), vulnerable:make_list(\"lt 3.25.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"FileZilla\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:34:09", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201703-03\n(PuTTY: Buffer overflow)\n\n A heap-corrupting buffer overflow bug in the ssh_agent_channel_data\n function of PuTTY was found.\n \nImpact :\n\n A remote attacker, utilizing the SSH agent forwarding of an SSH server,\n could execute arbitrary code with the privileges of the user running the\n client or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-12-02T00:00:00", "id": "GENTOO_GLSA-201703-03.NASL", "href": "https://www.tenable.com/plugins/nessus/97815", "published": "2017-03-20T00:00:00", "title": "GLSA-201703-03 : PuTTY: Buffer overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201703-03.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97815);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/04/10 16:10:17\");\n\n script_cve_id(\"CVE-2017-6542\");\n script_xref(name:\"GLSA\", value:\"201703-03\");\n\n script_name(english:\"GLSA-201703-03 : PuTTY: Buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201703-03\n(PuTTY: Buffer overflow)\n\n A heap-corrupting buffer overflow bug in the ssh_agent_channel_data\n function of PuTTY was found.\n \nImpact :\n\n A remote attacker, utilizing the SSH agent forwarding of an SSH server,\n could execute arbitrary code with the privileges of the user running the\n client or cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201703-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All PuTTY users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/putty-0.68'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:putty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/putty\", unaffected:make_list(\"ge 0.68\"), vulnerable:make_list(\"lt 0.68\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"PuTTY\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:31:09", "bulletinFamily": "scanner", "description": "Simon G. Tatham reports :\n\nMany versions of PuTTY prior to 0.68 have a heap-corrupting integer\noverflow bug in the ssh_agent_channel_data function which processes\nmessages sent by remote SSH clients to a forwarded agent connection.\n[...]\n\nThis bug is only exploitable at all if you have enabled SSH agent\nforwarding, which is turned off by default. Moreover, an attacker able\nto exploit this bug would have to have already be able to connect to\nthe Unix-domain socket representing the forwarded agent connection.\nSince any attacker with that capability would necessarily already be\nable to generate signatures with your agent", "modified": "2019-12-02T00:00:00", "id": "FREEBSD_PKG_9B973E970A9911E7ACE7080027EF73EC.NASL", "href": "https://www.tenable.com/plugins/nessus/97789", "published": "2017-03-17T00:00:00", "title": "FreeBSD : PuTTY -- integer overflow permits memory overwrite by forwarded ssh-agent connections (9b973e97-0a99-11e7-ace7-080027ef73ec)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97789);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/07/10 16:04:13\");\n\n script_cve_id(\"CVE-2017-6542\");\n\n script_name(english:\"FreeBSD : PuTTY -- integer overflow permits memory overwrite by forwarded ssh-agent connections (9b973e97-0a99-11e7-ace7-080027ef73ec)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Simon G. Tatham reports :\n\nMany versions of PuTTY prior to 0.68 have a heap-corrupting integer\noverflow bug in the ssh_agent_channel_data function which processes\nmessages sent by remote SSH clients to a forwarded agent connection.\n[...]\n\nThis bug is only exploitable at all if you have enabled SSH agent\nforwarding, which is turned off by default. Moreover, an attacker able\nto exploit this bug would have to have already be able to connect to\nthe Unix-domain socket representing the forwarded agent connection.\nSince any attacker with that capability would necessarily already be\nable to generate signatures with your agent's stored private keys, you\nshould in normal circumstances be defended against this vulnerability\nby the same precautions you and your operating system were already\ntaking to prevent untrusted people from accessing your SSH agent.\"\n );\n # http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e85f1139\"\n );\n # https://vuxml.freebsd.org/freebsd/9b973e97-0a99-11e7-ace7-080027ef73ec.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c36fdac1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:putty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"putty<0.68\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:08:04", "bulletinFamily": "scanner", "description": "This is an update fixing CVE-2017-6542.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2017-EFDD962FEE.NASL", "href": "https://www.tenable.com/plugins/nessus/101873", "published": "2017-07-21T00:00:00", "title": "Fedora 25 : putty (2017-efdd962fee)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-efdd962fee.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101873);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/24 14:09:10\");\n\n script_cve_id(\"CVE-2017-6542\");\n script_xref(name:\"FEDORA\", value:\"2017-efdd962fee\");\n\n script_name(english:\"Fedora 25 : putty (2017-efdd962fee)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing CVE-2017-6542.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-efdd962fee\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected putty package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:putty\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"putty-0.70-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"putty\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2017-06-07T19:13:57", "bulletinFamily": "exploit", "description": "PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption. CVE-2017-6542. Dos exploit for Linux platform. Tags: Integer Overflow", "modified": "2017-06-07T00:00:00", "published": "2017-06-07T00:00:00", "id": "EDB-ID:42137", "href": "https://www.exploit-db.com/exploits/42137/", "type": "exploitdb", "title": "PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption", "sourceData": "Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html\r\n\r\nsummary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections\r\nclass: vulnerability: This is a security vulnerability.\r\ndifficulty: fun: Just needs tuits, and not many of them.\r\npriority: high: This should be fixed in the next release.\r\npresent-in: 0.67\r\nfixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)\r\n\r\nMany versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.\r\n\r\nThe agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.\r\n\r\nHence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer \u00e2\u20ac\u201c but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.\r\n\r\nIf your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command\r\n\r\n(echo -ne '\\xFF\\xFF\\xFF\\xFD\\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK\r\n\r\nand PuTTY will crash.\r\n\r\nThis bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.\r\n\r\nThis vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42137/"}], "zdt": [{"lastseen": "2018-03-13T16:11:29", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-06-09T00:00:00", "published": "2017-06-09T00:00:00", "href": "https://0day.today/exploit/description/27916", "id": "1337DAY-ID-27916", "type": "zdt", "title": "PuTTY < 0.68 - ssh_agent_channel_data Integer Overflow Heap Corruption Vulnerability", "sourceData": "Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html\r\n \r\nsummary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections\r\nclass: vulnerability: This is a security vulnerability.\r\ndifficulty: fun: Just needs tuits, and not many of them.\r\npriority: high: This should be fixed in the next release.\r\npresent-in: 0.67\r\nfixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)\r\n \r\nMany versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.\r\n \r\nThe agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.\r\n \r\nHence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer \u2013 but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.\r\n \r\nIf your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command\r\n \r\n(echo -ne '\\xFF\\xFF\\xFF\\xFD\\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK\r\n \r\nand PuTTY will crash.\r\n \r\nThis bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.\r\n \r\nThis vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.\n\n# 0day.today [2018-03-13] #", "sourceHref": "https://0day.today/exploit/27916", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:20", "bulletinFamily": "unix", "description": "\nSimon G. Tatham reports:\n\nMany versions of PuTTY prior to 0.68 have a heap-corrupting integer\n\t overflow bug in the ssh_agent_channel_data function which processes\n\t messages sent by remote SSH clients to a forwarded agent connection. [...]\nThis bug is only exploitable at all if you have enabled SSH\n\t agent forwarding, which is turned off by default. Moreover, an\n\t attacker able to exploit this bug would have to have already be able\n\t to connect to the Unix-domain socket representing the forwarded\n\t agent connection. Since any attacker with that capability would\n\t necessarily already be able to generate signatures with your agent's\n\t stored private keys, you should in normal circumstances be defended\n\t against this vulnerability by the same precautions you and your\n\t operating system were already taking to prevent untrusted people\n\t from accessing your SSH agent.\n\n", "modified": "2017-01-29T00:00:00", "published": "2017-01-29T00:00:00", "id": "9B973E97-0A99-11E7-ACE7-080027EF73EC", "href": "https://vuxml.freebsd.org/freebsd/9b973e97-0a99-11e7-ace7-080027ef73ec.html", "title": "PuTTY -- integer overflow permits memory overwrite by forwarded ssh-agent connections", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-21T00:00:00", "id": "OPENVAS:1361412562310872892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872892", "title": "Fedora Update for putty FEDORA-2017-efdd962fee", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_efdd962fee_putty_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for putty FEDORA-2017-efdd962fee\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872892\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-21 07:33:30 +0200 (Fri, 21 Jul 2017)\");\n script_cve_id(\"CVE-2017-6542\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for putty FEDORA-2017-efdd962fee\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'putty'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"putty on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-efdd962fee\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SV6SQ466Q4MBL7KMVFEFUP64DLNIBWZW\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"putty\", rpm:\"putty~0.70~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
