Vulnerabilities in PuTTY and PSCP

Advisory ID Internal

Bugtraq ID: 10850, 10870

CVE Name: None currently assigned.

Title: Vulnerabilities in PuTTY and PSCP

Class: Boundary Error Condition

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted:

- Maintainers of PuTTY
. Core notification: 2004-07-28
. Notification acknowledged by PuTTY maintainers: 2004-07-29
. Fixed version (beta 0.55) released: 2004-08-03


Vulnerability Description:

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.

PuTTY and PSCP are client applications used by network and security administrators to login securily to networked server systems.

We have found that by sending specially crafted packets to the client during the authentication process, an attacker is able to compromise and execute arbitrary code on the machine running PuTTY or PSCP.

In SSH2, an attacker impersonating a trusted host can launch an attack before the client has the ability to determine the difference between the trusted and fake host. This attack is performed before host key verification.

WinSCP is an open source SFTP (SSH File Transfer Protocol) and SCP (Secure CoPy) client for Windows using SSH (Secure SHell). The SSH core of WinSCP is based on PuTTY and is affected by the same vulnerabilities.


Vulnerable Packages:

PuTTY, PSCP, PSFTP and Plink 0.54 and previous versions are vulnerable.

IVT (Freeware VT220 Telnet/Ssh Emulator) version 18.0a and previous versions are vulnerable.

Polish version of PuTTY ( is vulnerable.

PuTTYcyg (Cygwin terminal) versions previous to 20040811 are vulnerable.

PuTTY for Symbian OS 1.3.0 and previous versions are vulnerable.

RISC OS software:
· SSHProxy: all versions are vulnerable (uses PuTTY 0.45b)
· NettleSSH: all versions are vulnerable (uses PuTTY 0.45b)
· pscp 0.49b: all subversions are vulnerable (uses PuTTY 0.49b)
· puttytools: all versions are vulnerable (uses PuTTY CVS from 2004-01)

Secure iXplorer version 1.28 and previous versions might be vulnerable.

WinSCP 3.6.6. and previous versions are vulnerable.


Solution/Vendor Information/Workaround:

PuTTY 0.55 fixes these vulnerabilities. It is available at:

PuTTY maintainers recommend that everybody upgrade to 0.55 as soon as possible.

Gentoo Linux includes PuTTY, refer to their advisory:

IVT (Freeware VT220 Telnet/Ssh Emulator) version 18.1 fixes these vulnerabilities:

PuTTYcyg (Cygwin terminal) version 20040811 fixes these vulnerabilities:

PuTTY for Symbian OS Version 1.3.1 fixes these vulnerabilities:

WinSCP 3.6.7 fixes these vulnerabilities and is available at:

Additional information concerning these attacks written by Simon Tatham, author of Putty, is available at:


These vulnerabilities were found by Daniel De Luca, Laura Nuñez and Carlos Sarraute from Core Security Technologies.

We wish to thank Simon Tatham and Jacob Nevins, maintainers of PuTTY, and several other authors of software using part of the PuTTY code, for their quick response to this issue and for providing additional information concerning the attacks.


Technical Description - Exploit/Concept Code:

The vulnerabilities were triggered by modifying the implementation of OpenSSH 3.8.1p1, specifically by modifying the following functions:
to send specially crafted packets to the SSH client.

[1] Heap overflow using Bignum

While PSCP is authenticating to the server this vulnerability can be triggered by sending a specially crafted big number (the "base" big number sent by the server).
The vulnerability lies in the following code (from sshbn.c):
* Compute (base ^ exp) % mod.
* The base MUST be smaller than the modulus.
* The most significant word of mod MUST be non-zero.
* We assume that the result array is the same size as the mod array.
Bignum modpow(Bignum base, Bignum exp, Bignum mod)
BignumInt *a, *b, *n, *m;
int mshift;
int mlen, i, j;
Bignum result;

/* Allocate m of size mlen, copy mod to m */
/* We use big endian internally */
mlen = mod[0];


/* Allocate n of size mlen, copy base to n */
n = snewn(mlen, BignumInt);
i = mlen - base[0];
for (j = 0; j < i; j++)
n[j] = 0;
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];

In a normal session, the base is smaller than the modulus, but no checks are done to ensure this. By sending a specially crafted base, when i = mlen - base[0] is calculated, we can give i a controlled negative value, then overflow the memory allocated to n, when the
for (j = 0; j < base[0]; j++)
n[i + j] = base[base[0] - j];
loop is executed. This vulnerability can be used by an attacker to execute arbitrary code on the machine running PSCP.

[2] Another heap overflow using Bignum

A second vulnerability can be triggered in the PuTTY client during the authentication process. By modifying the second big number sent by the server, an attacker can make the PuTTY client crash.

The bug lies in the rsaencrypt() function, which performs RSA encryption with PKCS#1 v1.5 padding, as used in the SSH1 key exchange. This function assumes that the data to be encrypted is smaller than the modulus of the public key. If this is not the case, the memmove() operation at the start of the function will overwrite memory before the input buffer.

We believe this could be exploited by an attacker to execute arbitrary code on the machine running PuTTY.

About Core Security 

Core Security develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets.


The contents of this advisory are copyright (c) 2004 Core Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: putty-advisory.txt,v 1.11 2004/08/18 21:06:35 carlos Exp $