Vulnerabilities > CVE-2005-0467 - Remote Security vulnerability in PUTTY
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 14 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-28.NASL description The remote host is affected by the vulnerability described in GLSA-200502-28 (PuTTY: Remote code execution) Two vulnerabilities have been discovered in the PSCP and PSFTP clients, which can be triggered by the SFTP server itself. These issues are caused by the improper handling of the FXP_READDIR response, along with other string fields. Impact : An attacker can setup a malicious SFTP server that would send these malformed responses to a client, potentially allowing the execution of arbitrary code on their system. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 17164 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17164 title GLSA-200502-28 : PuTTY: Remote code execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200502-28. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(17164); script_version("1.23"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0467"); script_xref(name:"GLSA", value:"200502-28"); script_name(english:"GLSA-200502-28 : PuTTY: Remote code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200502-28 (PuTTY: Remote code execution) Two vulnerabilities have been discovered in the PSCP and PSFTP clients, which can be triggered by the SFTP server itself. These issues are caused by the improper handling of the FXP_READDIR response, along with other string fields. Impact : An attacker can setup a malicious SFTP server that would send these malformed responses to a client, potentially allowing the execution of arbitrary code on their system. Workaround : There is no known workaround at this time." ); # http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?009f4000" ); # http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?eee581a9" ); # http://www.idefense.com/application/poi/display?id=201&type=vulnerabilities script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0de7d285" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200502-28" ); script_set_attribute( attribute:"solution", value: "All PuTTY users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/putty-0.57'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:putty"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/putty", unaffected:make_list("ge 0.57"), vulnerable:make_list("lt 0.57"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PuTTY"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A413ED94836E11D9A9E70001020EED82.NASL description Simon Tatham reports : This version fixes a security hole in previous versions of PuTTY, which can allow a malicious SFTP server to attack your client. If you use either PSCP or PSFTP, you should upgrade. Users of the main PuTTY program are not affected. (However, note that the server must have passed host key verification before this attack can be launched, so a man-in-the-middle shouldn last seen 2020-06-01 modified 2020-06-02 plugin id 19057 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19057 title FreeBSD : putty -- pscp/psftp heap corruption vulnerabilities (a413ed94-836e-11d9-a9e7-0001020eed82)
References
- http://secunia.com/advisories/14333
- http://secunia.com/advisories/17214
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html
- http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html
- http://www.gentoo.org/security/en/glsa/glsa-200502-28.xml
- http://www.idefense.com/application/poi/display?id=201&type=vulnerabilities
- http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414
- http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19403