Simon Tatham PuTTY 0.56 sftp.c fxp_readdir_recv FXP_READDIR memory corruption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Simon Tatham PuTTY 0.56. It has been classified as problematic. Impacted is the function fxp_readdir_recv of the file sftp.c. This manipulation of the argument FXP_READDIR causes memory corruption.
This vulnerability is tracked as CVE-2005-0467. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
Details
A vulnerability has been found in Simon Tatham PuTTY 0.56 (Connectivity Software) and classified as critical. Affected by this vulnerability is the function fxp_readdir_recv of the file sftp.c. The manipulation of the argument FXP_READDIR with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated.
The bug was discovered 02/21/2005. The weakness was disclosed 02/21/2005 by Gael Delalleau with iDEFENSE (Website). The advisory is shared at chiark.greenend.org.uk. This vulnerability is known as CVE-2005-0467 since 02/18/2005. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 19057 (FreeBSD : putty -- pscp/psftp heap corruption vulnerabilities (a413ed94-836e-11d9-a9e7-0001020eed82)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks and running in the context l.
Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at chiark.greenend.org.uk. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (19403), Tenable (19057), SecurityFocus (BID 12601†), OSVDB (14002†) and Secunia (SA14333†). The entry VDB-1238 is pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 19057
Nessus Name: FreeBSD : putty -- pscp/psftp heap corruption vulnerabilities (a413ed94-836e-11d9-a9e7-0001020eed82)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 52179
OpenVAS Name: FreeBSD Ports: putty
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Patch: chiark.greenend.org.uk
Timeline
02/18/2005 🔍02/20/2005 🔍
02/21/2005 🔍
02/21/2005 🔍
02/21/2005 🔍
02/21/2005 🔍
02/21/2005 🔍
02/21/2005 🔍
02/28/2005 🔍
07/13/2005 🔍
07/03/2024 🔍
Sources
Advisory: chiark.greenend.org.ukResearcher: Gael Delalleau
Organization: iDEFENSE
Status: Not defined
Confirmation: 🔍
CVE: CVE-2005-0467 (🔍)
GCVE (CVE): GCVE-0-2005-0467
GCVE (VulDB): GCVE-100-1237
X-Force: 19403 - PuTTY "sftp_pkt_getstring" function buffer overflow, High Risk
SecurityFocus: 12601 - PuTTY/PSFTP/PSCP Multiple Remote Integer Overflow Vulnerabilities
Secunia: 14333 - PuTTY Two Integer Overflow Vulnerabilities, Moderately Critical
OSVDB: 14002 - PuTTY fxp_readdir_recv() Function Remote Overflow
Vulnerability Center: 7165
See also: 🔍
Entry
Created: 02/28/2005 11:28Updated: 07/03/2024 09:59
Changes: 02/28/2005 11:28 (89), 07/01/2019 15:17 (3), 07/03/2024 09:59 (17)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.