Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Serious Security Hole in PuTTY, Fixed

Posted by timothy on from the fixation-nation dept.

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

30 comments

  1. um.. how does it work? by nile_list · · Score: 1

    Are there any details on how this exploit actually works? There's no FA to read this time :(

    --
    Gnash Gnash Gnash
    1. Re:um.. how does it work? by Anonymous Coward · · Score: 0

      At some point iDEFENSE will presumably post an advisory, but in the meantime, here's the PuTTY team's take: http://www.chiark.greenend.org.uk/~sgtatham/putty/ wishlist/vuln-ssh2-debug.html

    2. Re:um.. how does it work? by Anonymous Coward · · Score: 0

      iDEFENSE's advisory is at http://www.idefense.com/application/poi/display?id =155&type=vulnerabilities&flashstatus=fals e (bypassing their silly Javascript).

  2. Amazing by Pan+T.+Hose · · Score: 1, Insightful

    This is really amazing how fast bugfixing work in free software and open source. "Warning, there is a hole, well actually there was a hole." I wonder how would that process work in case of proprietary software. We'll probably have to wait a year for another service pack. In any case, there is only one thing I can say here: kudos for PuTTY security team for fixing your holes so quickly.

    --
    Sincerely,
    Pan Tarhei Hosé, PhD.
    "Homo sum et cogito ergo odi profanum vulgus et libido."
    1. Re:Amazing by avalys · · Score: 1

      This amazingly off-topic, but I feel like asking - what the hell do you do all day? It seems like every time I read the comments for a story, I see your name somewhere in the first five responses.

      --
      This space intentionally left blank.
    2. Re:Amazing by Westley · · Score: 4, Interesting

      While in general I agree that bugfixing tends to be fast in free software, I think PuTTY is a particularly exceptional case.

      This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.

      Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.

      I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon :)

    3. Re:Amazing by Anonymous Coward · · Score: 1, Informative

      Posts to slashdot and studies the moderation of his comments in GREAT DETAIL. I only notcied this as I was checking his post history to see if he was a troll before I took the bait and replied to a comment of his in a different story. I did not bite.

    4. Re:Amazing by kayen_telva · · Score: 4, Funny

      he has a PHD in first posts

    5. Re:Amazing by ctr2sprt · · Score: 2, Insightful
      While OSS has an advantage that bugs get fixed faster with more people available to work on them, it also has the disadvantage that the bugs are apparent to anyone who takes the time to look. So instead of having to pore through a million lines of assembler code and stack traces, you just look at the parts of the code where a buffer overflow might show up.

      The moral of the story: it may take MS a month to roll out a fix, but it may also take a month longer for the bug to be discovered by unscrupulous individuals. MS, meanwhile, has access to the source, so it increases their chances of finding it first.

      I'm not saying the closed-source approach is better, just that by the nature of the beast, OSS developers have to be more on the ball when it comes to releasing fixes quickly. That might explain why they usually are.

    6. Re:Amazing by Anonymous Coward · · Score: 0

      Do you mean "mates" in the traditional British MSM way?

    7. Re:Amazing by QuantumG · · Score: 3, Interesting

      Can ya get him to accept my patch then? I've only emailed it to him about 5 times. Nothin' like gettin' snubbed by someone you're doing free work for.

      --
      How we know is more important than what we know.
    8. Re:Amazing by T-Ranger · · Score: 1

      I'm not at all versed in the art of scanning through binary code looking for holes... Or even through code for that matter. But look at games, for example. How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing. I know its not a direct analogy, crackers would not necessaraly have access to the binaries of the target system.

      But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a porn site. The real concern is from someone finding a new exploit, breaking into a important system, undetected, and steal or alter data. The nature of the developement process means that mistakes that could be security problems dont become real world exploits. And those that do work their way into production code will eventuall be vetted out by a high school student or the OpenBSD team, and fixed publicly. Exploits that work their way into closed source code will stay their untill not when an exploit is found, but untill when an exploit is found by a good guy and reported. Or to put things another way, the security issues with OSS approches zero the longer it is used. Closed source software, the issues approch some constant above zero.

    9. Re:Amazing by Anonymous Coward · · Score: 2, Interesting
      How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing.
      For the most part, copy protection is the same, so they only have to crack it once and it will work mostly-unmodified on many different games. Also, they don't need to exploit the copy protection, they just strip it out entirely so it's never even used. They don't exploit holes, they exploit the ability of the user to replace the game .exe with a new one.

      But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a porn site. The real concern is from someone finding a new exploit, breaking into a important system, undetected, and steal or alter data.
      You're both right and wrong. It's "security by volume," in a way. You have to worry more about script kiddies because there are a lot more of them and the scripts are designed to trawl a huge number of machines all at once.

      The highly-talented individuals who write the scripts the kiddies use are more dangerous, per-person, but there are also far fewer of them. So while they can do more damage individually, as a group they actually do less... though usually their type of damage is far more severe.

      Your analysis of the disadvantages of closed-source software is also a little pessimistic. Assuming no other security measures in place, you'd be right. But a good, layered security approach will make a hacker's job much harder since it increases the number of vulnerabilities he needs to find. With a decent IDS running on the network and hidden from the intruder you should be able to replay his attack and report it to MS, who can then look at the source and figure out how to fix it. While all this is going on, only that one hacker knows how to duplicate his efforts. If he releases his exploit into the wild MS can quickly understand exactly how it works and release a patch in a matter of hours (if they choose to); if he doesn't, then the danger is low because he can only attack a certain number of computers at once.

      It's a definite balancing act, and if you're a big or important site like amazon.com or a bank, you should probably worry more about the individuals than the kiddies. But 99.995% of the Internet should be more concerned about the ignorant masses who can't do anything but run scripts on their DSL subnets.

    10. Re:Amazing by Anonymous Coward · · Score: 1, Funny

      More likely the Dr. Frankenfurter / Rocky Horror Picture Show way.

    11. Re:Amazing by Anonymous Coward · · Score: 0

      He might be more inclined to respond to your emails if you didn't use "Get Cheap Viagra Online Now!" as your subject line.

    12. Re:Amazing by cgenman · · Score: 3, Insightful

      How long does it take an experience cracker to build a no-CD crack for a game?

      Macrovision once estimated the time for an average game at 5 days, and touted that their software pushed that number back an additional week. Actual merits of Safe Disk aside, In the industry one assumes a one to two week window before pirated copies start arriving, unless your game is particularly popular and it gets cracked on release day or even before release.

      Having access to the source doesn't really make it any easier for a hacker to deconstruct the workings of the system. Binary Executables are uncompiled all of the time for compatibility purposes, it's really not much of an impediment.

      --
      The ______ Agenda
    13. Re:Amazing by Anonymous Coward · · Score: 0

      will stay their untill
      but untill when

      "there", "until".

    14. Re:Amazing by Westley · · Score: 1

      What does it do? Bear in mind that the PuTTY team gets a *huge* amount of mail - it often takes them a long time to work through it.

    15. Re:Amazing by QuantumG · · Score: 1

      It's a UI patch. If they had a proper patch submission process, a mailing list, or some delegation of work, they'd get a lot more done.

      --
      How we know is more important than what we know.
    16. Re:Amazing by Simon+Tatham · · Score: 4, Funny

      Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.

      Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know :-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.

      Your patches look mostly sensible. I'll respond in detail by email.

  3. A silly explanation by BortQ · · Score: 4, Funny
    The exploit works like this:

    When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.

    The solution is to always keep your putty inside it's protective egg when in unknown territory.

    --

    A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
    1. Re:A silly explanation by Anonymous Coward · · Score: 0

      inside it's protective egg

      "its".

  4. Umm newspost? by LiENUS · · Score: 1

    While the file is on the download page http://www.chiark.greenend.org.uk/~sgtatham/putty/ download.html there is no notice of the security flaw... anyone know anything about this?

    1. Re:Umm newspost? by LiENUS · · Score: 1

      Nevermind they JUST made a post on the site detailing it.

  5. Re:Latest version by irc.goatse.cx+troll · · Score: 2, Informative

    Thats nice if you want a trojaned ssh client. The rest of use just google I'm feeling lucky "putty.exe".

    If you don't believe me that its trojaned, scan it in any current antivirus software -- It submits your password via some custom protocol via the same port RealMedia uses. Nice try, script kiddie.

    --
    Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
  6. I love PuTTY by tod_miller · · Score: 1

    I have used it for about 6 years, I always grab a copy and need it for something other, even for mudding on Discworld this one time...

    I don't think I ever visited the official site though... :-) Thanks developer type guys!

    --
    #hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
  7. Front page, not IT section? by Hobart · · Score: 1

    Timothy - for an app this widely deployed, this might [for the future] merit the frontpage instead of the IT section?

    --
    o/~ Join us now and share the software ...