Download: Stable · Snapshot | Docs | Changes | Wishlist
Some development snapshots of PuTTY, when presented with an invalid ECDSA key, will zero unrelated memory.
(Since this vulnerability is in the as-yet-unreleased ECDSA implementation, no released version of PuTTY is affected.)
ecdsa_newkey function is the part of PuTTY that
converts ECDSA public keys from SSH-2 wire format into a format that
can be used internally. If this conversion fails part-way through,
PuTTY attempts to erase the memory holding the part-constructed
internal key. One of the fields of the internal format is not
initialised to NULL before the first possible failure point, so PuTTY
can end up erasing memory unrelated to the key being loaded. It's
possible that this could be exploited to cause PuTTY to erase
ecdsa_newkey function is called whenever PuTTY
receives an ECDSA host key from an SSH-2 server, including during
initial key exchange. This means that an attack could be mounted by a
man in the middle before PuTTY has validated the host key.
This is a particular problem because in an SSH-2 connection, PuTTY converts the server-presented host key into internal format before checking that it's the correct host key, so a man in the middle could cause trouble even if the user is connecting to a trustworthy server.
This bug was found with the help of American Fuzzy Lop.