Allele Security Alert
ASA-2019-00551
Identifier(s)
ASA-2019-00551, CVE-2019-17068
Title
Malicious clipboard content injection in bracketed paste mode
Vendor(s)
PuTTY team
Product(s)
PuTTY
Affected version(s)
PuTTY version 0.72
Fixed version(s)
PuTTY version 0.73
Proof of concept
Unknown
Description
In the PuTTY terminal, bracketed paste mode was broken in 0.72, in a way that made the pasted data look like manual keyboard input. So any application relying on the bracketing sequences to protect against malicious clipboard contents would have been misled.
Technical details
The redesign in commit 9fccb065a arranged that all keystroke data goes via term_keyinput_internal(), which calls term_bracketed_paste_stop() just in case the keystroke had interrupted an in-progress paste.
Pasted data also goes via term_keyinput_internal(), and bracketed paste mode certainly should not be terminated before that is sent. It should have conditionalised the call to term_bracketed_paste_stop() on the ‘interactive’ flag parameter, which is precisely there to tell the difference between pastes and true keyboard input.
Credits
Unknown
Reference(s)
PuTTY 0.73 is released
https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html
Download PuTTY: release 0.73
https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.73.html
Don’t call term_bracketed_paste_stop before pasted data.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=2c279283cc695ade15bafb418a8207ef0edd89cd
Rework handling of the SRM escape sequence.
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fccb065a
CVE-2019-17068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17068
CVE-2019-17068
https://nvd.nist.gov/vuln/detail/CVE-2019-17068
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 6, 2019