CVE-2016-2563
published 2016-04-07CVE-2016-2563: Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
34.22%
98.2th percentile
Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 9bis | kitty | <= 0.66.6.3 | — |
| debian | putty | < putty 0.67-1 (bookworm) | putty 0.67-1 (bookworm) |
| putty | putty | >= 0 < 0.67-1 | 0.67-1 |
| putty | putty | >= 0 < 0.67-1 | 0.67-1 |
| putty | putty | >= 0 < 0.67-1 | 0.67-1 |
| putty | putty | >= 0 < 0.67-1 | 0.67-1 |
| simon_tatham | putty | <= 0.66 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for oversized file-size fields (>40 bytes) in SCP-SINK responses sent from server to pscp client during SCP download requests. ↗
- →Monitor pscp process for abnormal instruction pointer values (e.g., EIP=0x41414141) indicative of successful stack buffer overwrite exploitation. ↗
- →Flag use of PuTTY pscp versions 0.59 through 0.66 (inclusive) connecting to untrusted SSH servers, as these are within the affected range for CVE-2016-2563. ↗
- →Trigger keywords 'x11exploit' and 'forwardedtcpipcrash' sent over SSH session to a vulnerable PuTTY client can trigger additional DoS nullptr-read crashes in packet handling. ↗
- ·Exploitation requires a post-authentication context — the attacker must control or compromise the SSH server that the pscp client connects to. ↗
- ·The vulnerability is triggered only during old-style SCP downloads (SCP-SINK mode), not all SCP or SFTP operations. ↗
- ·PuTTY code is embedded in third-party applications (e.g., FileZilla), so the affected attack surface may extend beyond standalone PuTTY/pscp installations. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2016-2563: putty - Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67...
vendor_debian·2016·CVSS 9.8
CVE-2016-2563 [CRITICAL] CVE-2016-2563: putty - Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67...
Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.
Scope: local
bookworm: resolved (fixed in 0.67-1)
bullseye: resolved (fixed in 0.67-1)
forky: resolved (fixed in 0.67-1)
sid: resolved (fixed in 0.67-1)
trixie: resolved (fixed in 0.67-1)
GHSA
GHSA-4hmm-v4j9-3hw2: Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0
ghsa_unreviewed·2022-05-17
CVE-2016-2563 [CRITICAL] CWE-119 GHSA-4hmm-v4j9-3hw2: Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0
Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.
OSV
CVE-2016-2563: Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0
osv·2016-04-07·CVSS 9.8
CVE-2016-2563 [CRITICAL] CVE-2016-2563: Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0
Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.
No detection rules found.
HackerOne
putty pscp client-side post-auth stack buffer overwrite when processing remote file size
hackerone·2019-11-12
CVE-2016-2563 putty pscp client-side post-auth stack buffer overwrite when processing remote file size
putty pscp client-side post-auth stack buffer overwrite when processing remote file size
Not sure if this will qualify but it may impact a pretty broad audience given the fact that putty code is part of many other apps (filezilla, ...) and it is the defacto standalone ssh client for windows administrators (besides openssh cygwin)
putty <= 0.66; affects putty versions dating back ~9 years.
Vulnerability Note: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
Vendor Security Notification: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
provided patch and PoC to vendor. was resolved within one week (which is very impressive!).
patch/poc will be released later today on this github account.
in total reported:
* mem-corruption/remote code
Bugzilla
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [epel-5]
bugzilla·2016-03-10·CVSS 9.8
CVE-2016-2563 [CRITICAL] CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [epel-5]
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking
Bugzilla
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [epel-6]
bugzilla·2016-03-10·CVSS 9.8
CVE-2016-2563 [CRITICAL] CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [epel-6]
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking
Bugzilla
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [fedora-all]
bugzilla·2016-03-10·CVSS 9.8
CVE-2016-2563 [CRITICAL] CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [fedora-all]
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution
bugzilla·2016-03-10·CVSS 9.8
CVE-2016-2563 [CRITICAL] CVE-2016-2563 putty: old-style scp downloads may allow remote code execution
CVE-2016-2563 putty: old-style scp downloads may allow remote code execution
Prior to any download in the SCP sink protocol, the server sends a line of text consisting of an octal number encoding Unix file permissions, a decimal number encoding the file size, and the file name. Since the file size can exceed 232 bytes, and in some compilation configurations of PuTTY the host platform's largest integer type is only 32 bits wide, PuTTY extracts the decimal file size into a temporary string variable to send to its own 64-bit decimal decoding function. Unfortunately, that extraction was done carelessly, using a sscanf with no length limit, permitting a buffer overrun.
External references:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
http://seclists.o
http://lists.opensuse.org/opensuse-updates/2016-05/msg00131.htmlhttp://seclists.org/fulldisclosure/2016/Mar/22http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.htmlhttp://www.securityfocus.com/bid/84296http://www.securitytracker.com/id/1035257https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563https://security.gentoo.org/glsa/201606-01http://lists.opensuse.org/opensuse-updates/2016-05/msg00131.htmlhttp://seclists.org/fulldisclosure/2016/Mar/22http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.htmlhttp://www.securityfocus.com/bid/84296http://www.securitytracker.com/id/1035257https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563https://security.gentoo.org/glsa/201606-01
2016-04-07
Published