Helsinki, Finland -
November 25, 2002
SSH Secure Shell 3.1 to 3.2.0 Windows client URL catcher buffer overflow vulnerability (VU#140977)
Security Advisory regarding windows client vulnerability in SSH Secure Shell for Workstations, versions 3.1 to 3.2.0.
The URL capturing mechanism of the SSH Secure Shell Windows client may, in certain special circumstances, be used to trick an unwary user to allow an attacker to insert and run code on the client's host. To be exploited the vulnerability requires that the user of the SSH
Secure Shell client clicks the maliciously generated URL.
The versions of SSH Secure Shell Windows client that are affected:
Shell Windows client in a situation in which clicking very long
(~500 characters) URLs may cause a buffer overflow in the
SSH Secure Shell windows client and possibly allows an attacker
to feed malicious code into the memory of the client PC.
To mount a successful attack an attacker must:
This issue is very similar to methods used in e-mail attachment-based attacks, as it combines social and technological elements; malicious code is provided to a user who is then persuaded to perform an action that triggers the attack. Since a potential attack requires user interaction, it is important to note the value of user education in relation to information security.
There are two ways to handle the security threat formed by the URL handling problem:
SSH Secure Shell for Workstations 3.2.2
(for customers that have a valid license or non-commercial users)
English Windows Client
If you have a commercial license for a 3.2.0 product, you can install the 3.2.2 version binary on top of the old 3.2.0. A valid license.dat file is required for the English Windows client to function in commercial mode (without the license file, the software will function in non-commercial mode, with PKI functionality disabled).
SSH Secure Shell for Workstations 3.1.5
(for customers that have a valid license)
Japanese Windows Client
German Windows Client
French Windows Client
English Windows Client
A valid license.dat file is required separately for each localized version.
Customers entitled to version 3.1 who submitted their email address to the SSH Communications Security sales department were provided a link to download appropriate license file. Please contact your sales representative if you do not have the license file and wish to obtain one.
The URL capturing mechanism of the SSH Secure Shell Windows client may, in certain special circumstances, be used to trick an unwary user to allow an attacker to insert and run code on the client's host. To be exploited the vulnerability requires that the user of the SSH
Secure Shell client clicks the maliciously generated URL.
Affected Systems
The versions of SSH Secure Shell Windows client that are affected:
- all SSH Secure Shell for Workstations 3.1 (also the localized language versions)
- SSH Secure Shell for Workstations 3.2.0
Description of the Vulnerability
A design flaw in the URL handling mechanism of SSH SecureShell Windows client in a situation in which clicking very long
(~500 characters) URLs may cause a buffer overflow in the
SSH Secure Shell windows client and possibly allows an attacker
to feed malicious code into the memory of the client PC.
To mount a successful attack an attacker must:
- Create a URL that includes the malicious code in a textual format. This means that the URL will contain text that is not humanly readable and that the URL will be exceptionally long (over 480 characters)
- The attacker must get the maliciously generated URL to the terminal window SSH Secure Shell AND persuade the user to click the URL.
Risk of Exploit
No harm will be done unless the end user of SSH Secure Shell clicks the maliciously formed URL in the terminal window of SSH Secure Shell. In other words, no attack is possible without the actions of the user of the SSH Secure Shell client. A maliciously formed URL is easily identifiable as it is excessively long (a few hundred characters).This issue is very similar to methods used in e-mail attachment-based attacks, as it combines social and technological elements; malicious code is provided to a user who is then persuaded to perform an action that triggers the attack. Since a potential attack requires user interaction, it is important to note the value of user education in relation to information security.
Description of the fix
In SSH Secure Shell Windows client versions 3.1.5 and 3.2.2 the URL handling mechanism has been fixed so that the maximum URL length is checked and enforced.Solution to the problem
There are two ways to handle the security threat formed by the URL handling problem:
- Replace vulnerable SSH Secure Shell Windows clients with an updated version that contains the fix.
- Instruct users of SSH Secure Shell NOT to click on exceptionally long, and non-readable URLs in the terminal window of SSH Secure Shell.
SSH Secure Shell for Workstations 3.2.2
(for customers that have a valid license or non-commercial users)
English Windows Client
If you have a commercial license for a 3.2.0 product, you can install the 3.2.2 version binary on top of the old 3.2.0. A valid license.dat file is required for the English Windows client to function in commercial mode (without the license file, the software will function in non-commercial mode, with PKI functionality disabled).
SSH Secure Shell for Workstations 3.1.5
(for customers that have a valid license)
Japanese Windows Client
German Windows Client
French Windows Client
English Windows Client
A valid license.dat file is required separately for each localized version.
Customers entitled to version 3.1 who submitted their email address to the SSH Communications Security sales department were provided a link to download appropriate license file. Please contact your sales representative if you do not have the license file and wish to obtain one.
SSH Communications Security Corp is committed to utmost security
SSH Communications Security apologizes for any inconvenience caused. We take security of the systems of our customers very seriously and do our utmost to provide secure software. We strongly urge all customers to consider the implications of this vulnerability carefully and to make an educated decision on whether or not to update.SSH Corp. Contact
George Adams
SSH Communications Security Corp.
Tel: +1 781 247 2100
E-mail: 
Americas Contact
Byron Rashed
SSH Communications Security, Inc.
Tel: +1 650 251 2721
E-mail: 
Europe Contact
Bo Sorensen
SSH Communications Security Corp.
Tel: +358 20 500 7404
E-mail: 
Investor Relations
Mika Peuranen
SSH Communications Security Corp.
Tel: +358 20 500 7419
E-mail: 
U.S. Agency Contact
Cheryl Seaberg
Walt & Company
Tel: +1 408 496 0900 x 2981
E-mail: 
© 2002 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.