Vulnerability ID 777

Simon Tatham PuTTY up to 0.54 SSH Connection Attempt Handler Heap-based buffer overflow

CVSSv3 Temp ScoreCurrent Exploit Price (≈)
7.0$0-$1k

A vulnerability, which was classified as critical, was found in Simon Tatham PuTTY up to 0.54. This affects an unknown function of the component SSH Connection Attempt Handler. The manipulation with an unknown input leads to a buffer overflow vulnerability (heap-based). This is going to have an impact on confidentiality, integrity, and availability.

The weakness was disclosed 08/04/2004 with Core Security Technologies. The advisory is shared for download at chiark.greenend.org.uk. This vulnerability is uniquely identified as CVE-2004-1440 since 02/13/2005. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are unknown but an exploit is available.

The exploit is shared for download at securityfocus.com. We expect the 0-day to have been worth approximately $2k-$5k. The vulnerability scanner Nessus provides a plugin with the ID 14560 (GLSA-200408-04 : PuTTY: Pre-authentication arbitrary code execution), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Gentoo Local Security Checks, running in the context local and relying on port 0.

Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at chiark.greenend.org.uk. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 1 days after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 10850), X-Force (16885), Secunia (SA12212) and Vulnerability Center (SBV-5118). Further details are available at chiark.greenend.org.uk.

CVSSv3

Base Score: 7.3 [?]
Temp Score: 7.0 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:X [?]
Reliability: High

CVSSv2

Base Score: 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) [?]
Temp Score: 5.9 (CVSS2#E:ND/RL:OF/RC:ND) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow
Local: No
Remote: Yes

Availability: Yes
Download: securityfocus.com

Current Price Estimation: $2k-$5k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 14560
Nessus Name: GLSA-200408-04 : PuTTY: Pre-authentication arbitrary code execution
Nessus File: gentoo_GLSA-200408-04.nasl
Nessus Family: Gentoo Local Security Checks
Nessus Context: local
Nessus Port: 0
OpenVAS ID: 54634
OpenVAS Name: Gentoo Security Advisory GLSA 200408-04 (PuTTY)
OpenVAS File: glsa_200408_04.nasl
OpenVAS Family: Gentoo Local Security Checks

Countermeasures

Recommended: Upgrade
Status: Official fix
Reaction Time: 1 days since reported
0-Day Time: 0 days since found
Exposure Time: 1 days since known

Patch: chiark.greenend.org.uk

Timeline

08/04/2004 Advisory disclosed
08/04/2004 +0 days VulDB entry created
08/04/2004 +0 days OSVDB entry created
08/05/2004 +1 days Countermeasure disclosed
08/18/2004 +13 days VulnerabilityCenter entry created
08/30/2004 +12 days Nessus plugin released
12/31/2004 +123 days NVD disclosed
12/31/2004 +0 days VulnerabilityCenter entry assigned
02/13/2005 +44 days CVE assigned
04/03/2013 +2971 days VulnerabilityCenter entry updated
07/07/2015 +825 days VulDB entry updated

Sources

Advisory: chiark.greenend.org.uk
Organization: Core Security Technologies
Confirmation: chiark.greenend.org.uk

CVE: CVE-2004-1440 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 10850 - PuTTY Modpow Integer Handling Memory Corruption Vulnerability
Secunia: 12212 - PuTTY Authentication Process Buffer Overflow Vulnerabilities, Moderately Critical
X-Force: 16885 - PuTTY allows attacker to execute arbitrary code, High Risk
Vulnerability Center: 5118 - PuTTY Client Wrong Modpow Integer Handling Enables Code Execution, Medium
OSVDB: 8299

Misc.: chiark.greenend.org.uk

Entry

Created: 08/04/2004
Updated: 07/07/2015
Entry: 94.9% complete