Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Pre-release
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
Up to and including version 0.70, the Unix PuTTY tools used
select
(2) to watch their collections of active Unix file
descriptors for activity.
This involves putting all the file descriptors into a variable of type
fd_set
, using the OS-provided macro FD_SET
.
Unfortunately, FD_SET
does not bounds-check the input
file descriptor. So if any PuTTY tool encountered an fd greater than
or equal to FD_SETSIZE
(typically 1024), then not only
would it be unable to monitor that file descriptor, but it would
suffer a buffer overflow in the attempt, overwriting other variables
on the stack.
We don't know if this was remotely exploitable, but it could at least be remotely triggered by a malicious SSH server, if you enabled any of the options that allow the server to open a channel:
As of 0.71, all the Unix PuTTY tools have switched to monitoring file
descriptors using poll
(2), which does not have this API
bug.
This vulnerability was found by Teguh P. Alko, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. It has been assigned CVE ID CVE-2019-9895.