Another Serious Security Hole in PuTTY, Fixed

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

um.. how does it work?

[nile_list]

Are there any details on how this exploit actually works? There's no FA to read this time :(

Amazing

[Pan T. Hose]

This is really amazing how fast bugfixing work in free software and open source. "Warning, there is a hole, well actually there was a hole." I wonder how would that process work in case of proprietary software. We'll probably have to wait a year for another service pack. In any case, there is only one thing I can say here: kudos for PuTTY security team for fixing your holes so quickly.

Re:Amazing

[avalys]

This amazingly off-topic, but I feel like asking - what the hell do you do all day? It seems like every time I read the comments for a story, I see your name somewhere in the first five responses.

Re:Amazing

[Anonymous Coward]

Posts to slashdot and studies [slashdot.org] the moderation of his comments in GREAT DETAIL. I only notcied this as I was checking his post history to see if he was a troll before I took the bait and replied to a comment of his in a different story. I did not bite.

Re:Amazing

[kayen_telva]

he has a PHD in first posts

Re:Amazing

[Westley]

While in general I agree that bugfixing tends to be fast in free software, I think PuTTY is a particularly exceptional case.

This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.

Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.

I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon :)

Re:Amazing

[Anonymous Coward]

More likely the Dr. Frankenfurter / Rocky Horror Picture Show way.

Re:Amazing

[QuantumG]

Can ya get him to accept my patch then? I've only emailed it to him about 5 times. Nothin' like gettin' snubbed by someone you're doing free work for.

Re:Amazing

[Westley]

What does it do? Bear in mind that the PuTTY team gets a *huge* amount of mail - it often takes them a long time to work through it.

Re:Amazing

[QuantumG]

It's a UI patch. If they had a proper patch submission process, a mailing list, or some delegation of work, they'd get a lot more done.

Re:Amazing

[Simon Tatham]

Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.

Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know :-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.

Your patches look mostly sensible. I'll respond in detail by email.

Re:Amazing

[ctr2sprt]

While OSS has an advantage that bugs get fixed faster with more people available to work on them, it also has the disadvantage that the bugs are apparent to anyone who takes the time to look. So instead of having to pore through a million lines of assembler code and stack traces, you just look at the parts of the code where a buffer overflow might show up.

The moral of the story: it may take MS a month to roll out a fix, but it may also take a month longer for the bug to be discovered by unscrupulous indi

Re:Amazing

[T-Ranger]

I'm not at all versed in the art of scanning through binary code looking for holes... Or even through code for that matter. But look at games, for example. How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing. I know its not a direct analogy, crackers would not necessaraly have access to the binaries of the target system.

But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a p

Re:Amazing

[Anonymous Coward]

How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing.

For the most part, copy protection is the same, so they only have to crack it once and it will work mostly-unmodified on many different games. Also, they don't need to exploit the copy protection, they just strip it out entirely so it's never even used. They don't exploit holes, they exploit the ability of the user to replace the game .exe with a new one.

But the concern, the

Re:Amazing

[cgenman]

How long does it take an experience cracker to build a no-CD crack for a game?

Macrovision once estimated the time for an average game at 5 days, and touted that their software pushed that number back an additional week. Actual merits of Safe Disk aside, In the industry one assumes a one to two week window before pirated copies start arriving, unless your game is particularly popular and it gets cracked on release day or even before release.

Having access to the source doesn't really make it any easier for a hacker to deconstruct the workings of the system. Binary Executables are uncompiled all of the time for compatibility purposes, it's really not much of an impediment.

A silly explanation

[BortQ]

The exploit works like this:

When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.

The solution is to always keep your putty inside it's protective egg when in unknown territory.

Umm newspost?

[LiENUS]

While the file is on the download page http://www.chiark.greenend.org.uk/~sgtatham/putty/ download.html [greenend.org.uk] there is no notice of the security flaw... anyone know anything about this?

Re:Umm newspost?

[LiENUS]

Nevermind they JUST made a post on the site detailing it.

Re:Latest version

[irc.goatse.cx troll]

Thats nice if you want a trojaned ssh client. The rest of use just google I'm feeling lucky "putty.exe".

If you don't believe me that its trojaned, scan it in any current antivirus software -- It submits your password via some custom protocol via the same port RealMedia uses. Nice try, script kiddie.

I love PuTTY

[tod_miller]

I have used it for about 6 years, I always grab a copy and need it for something other, even for mudding on Discworld this one time...

I don't think I ever visited the official site though... :-) Thanks developer type guys!

Re:

[account_deleted]

Comment removed based on user account deletion