ASA-2019-00551 – PuTTY: Malicious clipboard content injection in bracketed paste mode


Allele Security Alert

ASA-2019-00551

Identifier(s)

ASA-2019-00551, CVE-2019-17068

Title

Malicious clipboard content injection in bracketed paste mode

Vendor(s)

PuTTY team

Product(s)

PuTTY

Affected version(s)

PuTTY version 0.72

Fixed version(s)

PuTTY version 0.73

Proof of concept

Unknown

Description

In the PuTTY terminal, bracketed paste mode was broken in 0.72, in a way that made the pasted data look like manual keyboard input. So any application relying on the bracketing sequences to protect against malicious clipboard contents would have been misled.

Technical details

The redesign in commit 9fccb065a arranged that all keystroke data goes via term_keyinput_internal(), which calls term_bracketed_paste_stop() just in case the keystroke had interrupted an in-progress paste.

Pasted data also goes via term_keyinput_internal(), and bracketed paste mode certainly should not be terminated before that is sent. It should have conditionalised the call to term_bracketed_paste_stop() on the ‘interactive’ flag parameter, which is precisely there to tell the difference between pastes and true keyboard input.

Credits

Unknown

Reference(s)

PuTTY 0.73 is released
https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html

Download PuTTY: release 0.73
https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.73.html

Don’t call term_bracketed_paste_stop before pasted data.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=2c279283cc695ade15bafb418a8207ef0edd89cd

Rework handling of the SRM escape sequence.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fccb065a

CVE-2019-17068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17068

CVE-2019-17068
https://nvd.nist.gov/vuln/detail/CVE-2019-17068

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.