KiTTY Triple Threat: Millions of Users Exposed to RCE Flaws, No Patch Available!

CVE-2024-23749 & CVE-2024-25003

Security researcher Austin A. DeFrancesco, known as DEFCESCO, recently revealed a trio of vulnerabilities in KiTTY, a popular fork of the renowned PuTTY SSH and telnet client. With over 20 million downloads worldwide, KiTTY’s vulnerabilities pose a significant risk to users across various Windows operating systems.

DeFrancesco’s findings shed light on three distinct vulnerabilities within KiTTY, leading to remote code execution (RCE). These vulnerabilities, which affect all versions up to KiTTY ≤ 0.76.1.13, have been present since the software’s inception in May 2021. Despite being embedded deep within the code, these vulnerabilities remained undetected until now, leaving millions of users exposed to potential exploitation.

The vulnerabilities, dubbed CVE-2024-23749, CVE-2024-25003, and CVE-2024-25004, exploit weaknesses in how KiTTY processes certain commands sent by remote servers.

The first vulnerability, identified as CVE-2024-23749, resides within the kitty.c file precisely in the GetOneFile function. Triggered by the ANSI escape sequence \033]0;__rv, this flaw enables malicious users to inject arbitrary commands into KiTTY, ultimately leading to unauthorized access and control over the system. The vulnerability arises from insufficient input validation and insecure system calls, allowing attackers to execute code with the user’s privileges running KiTTY.

The second and third vulnerabilities, CVE-2024-25003 and CVE-2024-25004, stem from a similar source: a stack-based buffer overflow within the kitty.c file. Activated by the ANSI escape sequence \033]0;__dt, these vulnerabilities allow attackers to manipulate the hostname and username inputs, leading to the arbitrary execution of code. With insufficient bounds checking and input sanitization, KiTTY becomes susceptible to memory corruption, granting attackers unauthorized access to system resources.

To demonstrate the severity of these vulnerabilities, DeFrancesco developed three exploits targeting the flaws in KiTTY’s code. These exploits, once deployed, grant remote code execution capabilities to attackers, placing users’ systems at risk of compromise. With KiTTY operating within the standard user permission group by default, the potential impact of these exploits is substantial, affecting users across Windows 11, 10, 8, 7, and XP.

Despite DeFrancesco’s efforts in uncovering these vulnerabilities, the absence of patches leaves users exposed to potential exploitation. Without a fix in sight, KiTTY users remain vulnerable to remote attacks, highlighting the critical need for immediate action from the software’s developers.