Core Security Technologies has discovered two vulnerabilities in PuTTY, which potentially can be exploited by malicious people to compromise a user's system.

1) A boundary error within the "modpow()" function can be exploited by passing an overly large value as a base for the modular exponentiation. This can e.g. be exploited during the initial SSH2 key exchange to cause a heap-based buffer overflow by sending a specially crafted packet.

Successful exploitation may allow execution of arbitrary code on a user's system but requires that a user has been tricked into connecting to a malicious server or a session can be intercepted in a MitM (Man-in-the-Middle) attack.

2) A boundary error within the "rsaencrypt()" function can e.g. be exploited during SSH1 key exchange to cause a heap-based buffer overflow by sending a specially crafted packet with a very small public key modulus.

Successful exploitation crashes the application but may potentially also allow execution of arbitrary code on a user's system. This requires that a user has been tricked into connecting to a malicious server or a session can be intercepted in a MitM (Man-in-the-Middle) attack.

The vulnerabilities affect version 0.54 and prior.

Solution
Update to version 0.55.
Further details available to Secunia VIM customers

Provided and/or discovered by
Core Security Technologies

Changelog
Further details available to Secunia VIM customers

Original Advisory
Vendor:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modpow.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ssh1-kex.html

Core Security Technologies:
http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10

Deep Links
Links available to Secunia VIM customers