Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist
Many versions of PuTTY prior to 0.63 have a buffer overflow vulnerability in the calculation of modular inverses when verifying a DSA signature.
One step of the DSA signature verification procedure involves computing the modular inverse of the integer s (part of the signature) with respect to the integer q (part of the public key). If s and q have any common factor, this modular inverse cannot exist. Of course, such a signature is invalid (and probably the private key is invalid too), but PuTTY will react to that situation by its bignum code overflowing a buffer when it attempts to divide by zero during Euclid's algorithm.
This bug applies to any DSA signature received by PuTTY, including during the initial key exchange phase. Therefore, this bug can be exploited by a malicious server, before the client has received and verified a host key signature. So this attack can be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against MITM attacks are bypassed. Even if you trust the server you think you are connecting to, you are not safe.
We are unaware of any way in which this can lead to remote code execution, since there is no control over the data written into the heap.
This bug does not affect RSA keys.
This bug has been assigned CVE ID CVE-2013-4207.