PuTTY vulnerability vuln-chm-hijack

This is a mirror. Follow this link to find the primary PuTTY web site.

summary: Potential malicious code execution via CHM hijacking
class: vulnerability: This is a security vulnerability.
difficulty: tricky: Needs many tuits.
priority: high: This should be fixed in the next release.
absent-in: 0.51
fixed-in: 67d3791de83569dd55b307b775087815ad0d9002 0.71

Up to and including version 0.70, when you launched the online help in any of the Windows PuTTY GUI tools, the tool would locate its help file by looking alongside its own executable.

If you were running PuTTY from a directory that unrelated code could arrange to drop files into (for example, running it directly from a browser's default download directory), this means that if somebody contrived to get a file called putty.chm into that directory (for example, by enticing you to click on a download link with that name) then PuTTY would believe it was the real help file, and feed it to htmlhelp.exe. (This is a similar attack vector to the previous vuln-indirect-dll-hijack.)

This is a vulnerability because HTML Help files (.chm) can arrange in turn to run code of their choice, for example by embedding an <OBJECT> HTML element that is a Windows shortcut, plus Javascript to click it. See, for example, this proof of concept.

As of 0.71, this is fixed by completely changing how the PuTTY tools find their help file:

The standalone executables (i.e. the ones you might download into a random directory in the first place) now embed the CHM inside themselves as a custom Windows resource, and when you click the help button, they write it out to a temporary file. Therefore, the CHM is protected against malicious modification by the same Authenticode signature that covers the rest of the binary.
The executables contained in the MSI installer do not have that custom resource, because that would waste disk space on multiple copies of it. Instead, they consult a Registry entry created by the installer itself, which points at the pathname where the installer saved putty.chm.

This means that there are now two versions of putty.exe: one with an embedded help file and one without. If you're in doubt, the About box tells you which one you're running.

Also, we have removed the first-generation Windows Help files completely (putty.hlp and the separate contents file putty.cnt), since they undoubtedly had the same issue and are now obsolete.

If you had installed PuTTY via the normal MSI installer, or if you were careful in any other way about where you downloaded the standalone executable files to, then you should be safe from this issue.

This vulnerability was found by Dolev Taler, as part of a bug bounty programme run under the auspices of the EU-FOSSA project. It has been assigned CVE ID CVE-2019-9896.

If you want to comment on this web site, see the Feedback page.

Audit trail for this vulnerability.

(last revision of this bug record was at 2019-03-25 20:23:34 +0000)