PuTTY vulnerability vuln-sshredder

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: SSHredder test suite vulnerabilities (CERT CA-2002-36)
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.53
fixed-in: 0.53b 2002-11-09 (0.54) (0.55) (0.56) (0.57) (0.58) (0.59) (0.60)

PuTTY 0.53 and earlier are vulnerable to the attack described in CERT advisory CA-2002-36 "Multiple Vulnerabilities in SSH Implementations" (also VU#389665). This vulnerability is believed to be fixed in 0.53b (released Nov 12, 2002).

Certain well-chosen malformed or unusual packets can lead to remote code execution attacks. See the Rapid7 advisory and their SSHredder test suite for details.

I-Proyectos has released a proof-of-concept exploit to BugTraq.

CVE have assigned the following candidate IDs to the vulnerabilities tested for by SSHredder:

(I haven't checked which of these PuTTY was actually vulnerable to).

Audit trail for this vulnerability.

If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2004-11-16 15:27:00 +0000)