RE: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta

From: Burton M. Strauss III (bstrauss3at_private)
Date: Fri Jul 26 2002 - 13:42:10 PDT

Next message: kim0: "Phenoelit Advisory, 0815 ++ * - Cisco_tftp"

Previous message: Kanatoko: "Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)"
In reply to: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
Next in thread: Bela Lubkin: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
Reply: Bela Lubkin: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You know, that's only partially a solution.  For those of us who haven't
chosen to PAY for the upgrade to 3.4, we're left out in the cold.  Quoting
from VanDyke's web page:

"All users may evaluate SecureCRT 3.4 for 30 days free of charge. Registered
users who purchased licenses before July 1, 2000 should consult the Upgrade
Eligibility page to learn about licensing the 3.4 upgrade."

and

"SecureCRT Upgrade

Registered users who purchased licenses before July 1, 2001 may choose to
purchase SecureCRT upgrades starting at $39.95 for a single copy.

<snip />

SecureCRT users who purchased licenses between January 1 and July 1, 2000
are eligible to download SecureCRT 3.3.3 and upgrade without charge.
SecureCRT users who purchased licenses before January 1, 2000 are eligible
to download SecureCRT 3.2.1 and upgrade without charge."


I'm not unsympathetic to the need to have a licensing revenue stream, but
let's remember that this leaves (dozens? hundreds? thousands? Just me) of
your customers unprotected.

-----Burton


-----Original Message-----
From: kelli burkinshaw [mailto:kelli.burkinshawat_private]
Sent: Thursday, July 25, 2002 5:33 PM
To: bugtraqat_private
Subject: Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT
3.4 & 4.0 beta


In-Reply-To: <20020722200944.A6030at_private-f.net>

> SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have
> a bug in a seemlingly trivial portion of its SSH connection code.
> When an SSH Client connects to a server, the server sends a version
> string containing minor and major numbers for the protocol, as well
> as a server-specific identifier string which is specified to be no
> more than 40 bytes long.  Unfortunetly the SecureCRT code which handles
> errors relating to an unsupported protocol version contains an unchecked
> buffer overflow when dealing with this identifier string.

VanDyke Software has released SecureCRT version 3.4.6 and version 4.0
beta 3 to eliminate the issue in SecureCRT you describe above. The issue
made SecureCRT vulnerable to a buffer overflow attack which could allow
malicious parties to execute arbitrary code when connecting to an SSH1
server that has been modified to perform this exploit. SSH2 connections
are not affected by the vulnerability.

VanDyke Software recommends that anyone using SecureCRT versions 2.x,
3.x, or 4.x upgrade immediately to the available revisions.

For more details and to download a new version see:

  http://www.vandyke.com/products/securecrt/security07-25-02.html

--
kelli burkinshaw              VanDyke Software
kelli.burkinshawat_private  Product Director
http://www.vandyke.com        505.332.5700 (T) 505.332.5701 (F)

Next message: kim0: "Phenoelit Advisory, 0815 ++ * - Cisco_tftp"
Previous message: Kanatoko: "Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)"
In reply to: kelli burkinshaw: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
Next in thread: Bela Lubkin: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
Reply: Bela Lubkin: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 14:49:08 PDT