
PuTTY 0.66 fixes security vulnerability - geococcyxc
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html
======
UnoriginalGuy
I appreciate the hard work Simon Tatham continues to do on Putty. Has he said
anything about the possibility of either signing the Putty executable or at
least using HTTPS? Or is he waiting for Let's Encrypt to come on tap?

He even references the threat on that page: "2015-05-19 Malware pretending to
be PuTTY." Which would be a lot easier to detect if the software was signed.

~~~
noinsight
> signing the Putty executable

But there's a GPG signature file which you can use to verify the download!
How? I wouldn't know because I've never bothered. And if I remember correctly,
the RSA key is also 1024 bits which is another no-no (this has come up
before).

~~~
ehPReth
Their current release key is RSA 2048:
[http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html](http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html)

~~~
josteink
Which is also not on HTTPS.

I read this "old" piece about PuTTY the other day and it still seems just as
absurd:

[https://noncombatant.org/2014/03/03/downloading-software-
saf...](https://noncombatant.org/2014/03/03/downloading-software-safely-is-
nearly-impossible/)

------
sofaofthedamned
You don't often see vulnerabilities in Putty, which considering the amount of
corporate systems it's used with is quite amazing.

~~~
ipozgaj
I still don't understand why PuTTY got so popular (e.g. why not OpenSSH/Cygwin
combo)

~~~
NelsonMinar
PuTTY had a great VT100/xterm emulator long before any other free SSH option
did. And it's a standalone app, no need for a giant Cygwin install.

~~~
teddyh
I believe that the TTSSH extension to Tera Term fulfilled this before PuTTY.
However, it was a separate extension to the Tera Term terminal emulator, so it
was a bit fiddly to set up.

------
Bud
You know what I love about PuTTY? It's been around since the Clinton
Administration (debuted in 1998), but it's still only at version 0.66.

What will it take to get a version 1.0? Sentience?

~~~
vacri
My favourite was the roguelike ADoM, which went up to 0.99, then alpha through
gamma, then up to gamma 16, for a final version of 0.99gamma16 before tripping
over to 1.0.

------
mappu
MinTTY in Cygwin is based on the terminal emulation code from PuTTY, is it
affected by the same CVE-2015-5309 ?

~~~
voltagex_
I'd also like to know this, but won't have time to check. There's also many
many forks of PuTTY that'll need to be updated.

------
fluffyllemon
> This bug was found with the help of American Fuzzy Lop

------
kilovoltaire

      difficulty: fun: Just needs tuits, and not many of them.
    

What does _tuits_ mean?

~~~
alblue
There's a phrase "get a round tuit" which is a phonetical approxmaton of "get
around to it".

[https://en.m.wiktionary.org/wiki/round_tuit](https://en.m.wiktionary.org/wiki/round_tuit)

~~~
McGlockenshire
I've also seen it used as a variation on "intuition."

------
frozenport
How do you execute privileged code from this vulnerability (on the client?)?
What is the worst case senario?

~~~
consto
> To exploit a vulnerability in the terminal emulator, an attacker must be
> able to insert a carefully crafted escape sequence into the terminal stream.
> For a PuTTY SSH session, this must be before encryption, so the attacker
> likely needs access to the server you're connecting to. For instance, an
> attacker on a multi-user machine that you connect to could trick you into
> running cat on a file they control containing a malicious escape sequence.
> (Unix write(1) is not a vector for this, if implemented correctly.)

From the sounds of it, an attacker needs to either compromise the machine you
intend to ssh into, or mitm before you first ever connect. Once keys are
cached you should easily notice if you've been mitmed.

~~~
frozenport
Yes, they need to compromise the server but they also need to compromise the
client. With both compromised they will have the same execution privileges as
the original Putty.exe, then they will need to ROPgadget? If they have both
compromised by the heck do they need to use putty?

~~~
Drdrdrq
No, they must control the server, and with that they can compromise the
client. Or at least this is how I understand it.

~~~
nitrogen
An attacker might just need to get something to show up into a log file that
is then viewed using PuTTY. Always escape attacker-controlled data before
logging or displaying it.

~~~
frozenport
Okay, but crashing the client isn't the same thing as compromising the client.

~~~
nitrogen
From the linked page describing the bug:

> This might be exploitable if the attacker could arrange for UCSWIDE to be in
> memory somewhere near a sensitive data structure.

Crashes are _very_ frequently capable of being exploited, to the point that
every crashing bug should be treated as a security vulnerability. At the very
least, it's a DoS.

------
MaulingMonkey
My TtyRec player is PuTTY based <_<. _Updates_.

~~~
fabulist
don't forget to restart, as well.

------
mlhamel
Is there anywhere sources of putty available?

~~~
DanBC
[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

------
newsignup
fuzzy lop seems to be quite handy since recently I saw a post here when they
found 10s of bugs in ffmpeg.

~~~
IshKebab
I think it was more like 1000...

------
newman314
Too bad putty still doesn't support ed25519

~~~
tetsefly
Looks like ed25519 was added in May 10th, 2015. [1]

    
    
         We claim version: SSH-2.0-PuTTY_Snapshot_2015_11_08.b003e5c
         Server version: SSH-2.0-OpenSSH_6.7p1 Debian-5
         Using SSH protocol version 2
         Doing ECDH key exchange with curve Curve25519 and hash SHA-256
         Host key fingerprint is:
         ssh-ed25519 256 <fingerprint>
         Initialised ChaCha20 client->server encryption
         Initialised Poly1305 client->server MAC algorithm (in ETM mode) (required by cipher)
         Initialised ChaCha20 server->client encryption
         Initialised Poly1305 server->client MAC algorithm (in ETM mode) (required by cipher)
    

I'm no expert, and this might not be what you are talking about, but to my
untrained eye, it does?

Now, to get back on topic, they believe that the attack would already need
access to the server.

 _" To exploit a vulnerability in the terminal emulator, an attacker must be
able to insert a carefully crafted escape sequence into the terminal stream.
For a PuTTY SSH session, this must be before encryption, so the attacker
likely needs access to the server you're connecting to. For instance, an
attacker on a multi-user machine that you connect to could trick you into
running cat on a file they control containing a malicious escape sequence.
(Unix write(1) is not a vector for this, if implemented correctly.)"_

[1] [http://tartarus.org/~simon-git/gitweb/?p=putty-
wishlist.git;...](http://tartarus.org/~simon-git/gitweb/?p=putty-
wishlist.git;a=blob;f=data/ed25519;h=d2d4b994da9245c2521eb25197d4a2632e2708b4;hb=740b9af900e7964fb56f79a08f257e5587c78fb0)

~~~
MrRadar
Ed25519 and ChaCha20-Poly1305 support are present in Git but not in any
released version yet.

~~~
zo1
Looks like there is an automatically-built set of binaries that run off the
development branch. Have a look here:

[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

