PuTTY vulnerability vuln-bignum-division-by-zero

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Vulnerability: non-coprime values in DSA signatures can cause buffer overflow in modular inverse
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
absent-in: r568
present-in: 0.52 0.53 0.53b 0.54 0.55 0.56 0.57 0.58 0.59 0.60 0.61 0.62
fixed-in: r9996 a7cc906df0f728f7181aa750494cb986bf0b5176 2013-08-05 0.63

Many versions of PuTTY prior to 0.63 have a buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature.

One step of the DSA signature verification procedure involves computing the modular inverse of the integer s (part of the signature) with respect to the integer q (part of the public key). If s and q have any common factor, this modular inverse cannot exist. Of course, such a signature is invalid (and probably the private key is invalid too), but PuTTY will react to that situation by its bignum code overflowing a buffer when it attempts to divide by zero during Euclid's algorithm.

This bug applies to any DSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.

We are unaware of any way in which this can lead to remote code execution, since there is no control over the data written into the heap.

This bug does not affect RSA keys.

This bug has been assigned CVE ID CVE-2013-4207.


If you want to comment on this web site, see the Feedback page.
Audit trail for this vulnerability.
(last revision of this bug record was at 2019-03-21 07:16:27 +0000)