Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Pre-release
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
Up to and including version 0.70, when you launched the online help in any of the Windows PuTTY GUI tools, the tool would locate its help file by looking alongside its own executable.
If you were running PuTTY from a directory that unrelated code could
arrange to drop files into (for example, running it directly from a
browser's default download directory), this means that if somebody
contrived to get a file called putty.chm
into that
directory (for example, by enticing you to click on a download link
with that name) then PuTTY would believe it was the real help file,
and feed it to htmlhelp.exe
. (This is a similar attack
vector to the previous vuln-indirect-dll-hijack.)
This is a vulnerability because HTML Help files (.chm
)
can arrange in turn to run code of their choice, for example by
embedding an <OBJECT>
HTML element that is a
Windows shortcut, plus Javascript to click it. See, for example, this
proof
of concept.
As of 0.71, this is fixed by completely changing how the PuTTY tools find their help file:
putty.chm
.
putty.exe
:
one with an embedded help file and one without. If you're in doubt,
the About box tells you which one you're running.
Also, we have removed the first-generation Windows Help files
completely (putty.hlp
and the separate contents file
putty.cnt
), since they undoubtedly had the same issue and
are now obsolete.
If you had installed PuTTY via the normal MSI installer, or if you were careful in any other way about where you downloaded the standalone executable files to, then you should be safe from this issue.
This vulnerability was found by Dolev Taler, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. It has been assigned CVE ID CVE-2019-9896.