Forum Stats

  • 3,759,025 Users
  • 2,251,494 Discussions
  • 7,870,473 Comments

Discussions

PuTTY for Linux (EPEL) security - password exposure

user10174131
user10174131 Member Posts: 25 Blue Ribbon

Oracle's packaging of PuTTY is not secure.

This command line option...

$ /usr/bin/psftp -h | grep pw
 -pw passw login with specified password

...will leak passwords into /proc/*/cmdline, and from there into all ps tools:

$ ps -ef | grep psftp
fishecj 25486 25272 0 14:20 pts/0 00:00:00 psftp -pw foobar [email protected]

This is a fix that I have already mailed to the PuTTY maintainers at [email protected]:

$ diff psftp.c psftp.c.nopass
2780c2780
< 
---
> char **myarg; int myc;
2793c2793
< 
---
> myarg=argv; myc=argc;


$ diff cmdline.c cmdline.c.nopass
166c166
< 
---
> extern char **myarg; extern int myc;
578c578
<     else {
---
>     else { int c;
583c583,584
<       smemclr(value, strlen(value));
---
>       smemclr(value, strlen(value)); for(c=1;c<myc;c++) if(!strcmp("-pw", myarg[c])) {int d=0; while(*(d+myarg[c+1])) {*(d+myarg[c+1])='*'; d++;} break;}


$ ps -ef | grep psftp
luser 30883 27085 0 15:39 pts/0  00:00:00 ./psftp -pw ************** [email protected]

Since Oracle is packaging PuTTY with this security exposure, I am requesting that the EPEL package be corrected, either in concert with upstream, or independent of them.

$ rpm -qi putty
Name    : putty
Version   : 0.76
Release   : 1.el7
Architecture: x86_64
Install Date: Thu 19 Aug 2021 03:41:42 PM CDT
Group    : Applications/Internet
Size    : 6789803
License   : MIT
Signature  : RSA/SHA256, Tue 17 Aug 2021 08:10:11 PM CDT, Key ID 72f97b74ec551f03
Source RPM : putty-0.76-1.el7.src.rpm
Build Date : Tue 17 Aug 2021 08:09:56 PM CDT
Build Host : host-100-100-224-52.blddevtest1iad.osdevelopmeniad.oraclevcn.com
Relocations : (not relocatable)
Vendor   : Oracle America
URL         : http://www.chiark.greenend.org.uk/~sgtatham/putty/
Summary   : SSH, Telnet and Rlogin client
Description :
Putty is a SSH, Telnet & Rlogin client - this time for Linux.

Answers

  • user10174131
    user10174131 Member Posts: 25 Blue Ribbon

    It occurred to me to check if this vulnerability is present on Windows, and I can confirm that it is. The "-pw" option does not appear to be safe to use on any platform, even though there is evidence in the source code that this problem is understood.

    This attempt at remediation is in no way effective.

    $ sed -n 569,585p cmdline.c 
        if (!strcmp(p, "-pw")) {
           RETURN(2);
           UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
           SAVEABLE(1);
           /* We delay evaluating this until after the protocol is decided,
            * so that we can warn if it's of no use with the selected protocol */
           if (conf_get_int(conf, CONF_protocol) != PROT_SSH)
               cmdline_error("the -pw option can only be used with the "
                             "SSH protocol");
           else {
               cmdline_password = dupstr(value);
               /* Assuming that `value' is directly from argv, make a good faith
                * attempt to trample it, to stop it showing up in `ps' output
                * on Unix-like systems. Not guaranteed, of course. */
               smemclr(value, strlen(value));
           }
       }
    
  • user10174131
    user10174131 Member Posts: 25 Blue Ribbon

    On Windows, the 12.2.0.1 and 10.2.0.5 database clients also exhibit this behavior.

  • user10174131
    user10174131 Member Posts: 25 Blue Ribbon

    When attempting this on Linux, everything except argv[0] is wiped.


  • user10174131
    user10174131 Member Posts: 25 Blue Ribbon

    "If you're interested, today's snapshot build of PuTTY now supports -pwfile."