Proof Of Concept that exploits PuTTy CVE-2024-31497.# CVE-2024-31497 POC
This vulnerability exploits the biased ECDSA nonce generation in the ```ecc-ssh.c``` file. The nonce is generated with $sha512(ID\ ||\ sha512(privKey)\ ||\ sha1(data))\ mod\ q$ leaving the top 9 bits to zero. In order to recover the private key we need 60 signatures but with 58 we still have 50% probability of success.
Vuln discovered by Bäumer and Marcus Brinkmann.
## Requirements
In order to use this exploit you must have [sagemath](https://github.com/sagemath/sage/) and the python dependencies in ```requirements.txt``` installed.
## Attack Surface
1. Extract the ECDSA signatures from 60 verified GitHub commits that used PuTTy or TortoiseGit to sign the commit content.
2. Another possible attack is to set up a rogue SSH server where victims connect (using PuTTY or Pageant) and after several connections you can retrieve the 60 signatures to recover the private key.
## Arguments
- The signature file must contain the **message hash**, a space and the values of **r** and **s** concatenated.
- The **pubkey** file input, can be in raw, PEM, DER or OpenSSH format.
## Acknowledgements
This poc uses part of the [malb](https://github.com/malb) implementation of the paper [On Bounded Distance Decoding with Predicate: Breaking the "Lattice Barrier" for the Hidden Number Problem](https://eprint.iacr.org/2020/1540.pdf)
[4.0K] /data/pocs/e633b58ef641e0bd9a76e8f56cdd4716f9d69b8f
├── [4.0K] attack
│ ├── [ 22K] ecdsa_hnp.py
│ ├── [1.1K] exploit.py
│ ├── [ 31K] usvp.py
│ └── [1003] utils.py
├── [2.5K] main.py
├── [1.3K] README.md
├── [ 74] requirements.txt
├── [4.0K] test
│ ├── [ 267] pubkey.pub
│ └── [ 23K] signatures.txt
└── [ 557] test.py
2 directories, 10 files