PuTTY vulnerability vuln-sftp-readdir

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Vulnerability: crafted SFTP FXP_READDIR reply may allow remote code execution
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.56 2005-02-20
fixed-in: 0.57 2005-02-21 893d187b81991a7b259ede864b7d18ae60c59589

Many versions of PSFTP and PSCP prior to 0.57 have a heap corruption vulnerability in their treatment of the response to the FXP_READDIR command (enumerate entries in a directory) in the SSH File Transfer Protocol (SFTP).

In order for this vulnerability to be exploited, the user connect to a malicious server and issue a ls or dir command to PSFTP, or supply the -ls command-line option to PSCP.

(Note however that the vulnerability kicks in after host key verification, so the host key of the server has to have been accepted to get this far.)

SFTP is always used by PSFTP; it is also used by PSCP if available (depending on server behaviour). It can be used in both SSH-2 and SSH-1 (again, depending on server behaviour). Thus, a malicious server can exploit this in all invocations of PSFTP and PSCP, unless the -scp option is supplied to PSCP.

This bug was discovered by a contributor to iDEFENSE's Vulnerability Contributor Program. Along with vuln-sftp-string, it is documented in iDEFENSE's advisory 02.21.05, mentioned in Secunia's advisory SA14333, and has been assigned CVE ID CVE-2005-0467. It has also been individually assigned OSVDB ID 14002.

Vulnerability details: In response to an FXP_READDIR request, the server returns a count of directory entries, followed by the entries themselves. In sftp.c:fxp_readdir_recv(), this count was passed to snewn() to allocate memory, where it was used as a multiplier for an internal structure size. With a sufficiently large count, an integer overflow could be provoked in snewn(), such that insufficient memory could silently be malloc()'d. fxp:readdir_recv() would then read server-supplied data into this buffer, leading to a heap corruption with server-controlled contents, and hence potentially to execution of arbitrary code.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-21 07:16:27 +0000)