I tested this on the latest version, 3.4 and version 3.3 and they are not vulnerable. Not to be picky, but were is the exploitable vulnerability? Typing 300+ characters into my own login prompt causing my SSH client to crash doesn't exactly set off too many alarm bells. You didn't say if you used Telnet or SSH1/2 to connect to your test box, so I tested using SSH2 as you did make a refference to encryption. Does this work with a Telnet login as well? If so, there is an exploitable scenario were one could craft an email that relies on the hope that the user, when installed SecureCRT, set it as the default Telnet client and that the user will actually click on the telnet://(Xx300)@<hostname>. This could also be used with a malicious web site I guess, but again, you are relying on a lot of factors that are out of your control. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbakat_private http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ---------- Forwarded message ---------- Date: Sun, 30 Dec 2001 02:53:51 -0800 From: blackshellat_private To: bugtraqat_private Cc: vuln-devat_private Subject: blackshell1: Multiple Prolems with Vandykes SecureCRT -----BEGIN PGP SIGNED MESSAGE----- ##################################################### #--blackshell security advisory no1--# # #--multiple vulnerabilities in Vandykes SecureCRT--## ##################################################### ######################## vendor details & history ######################## SecureCRT 2.* SecureCRT 3.* (New version 3.4 is vulnerable) By: Vandyke Technologies http://www.vandyke.com/products/securecrt Price: 1 license $99, Bundle with SecureFX $129 http://www.vandyke.com/products/securecrt/history.txt SecureCRT combines the secure logon and data transfer capabilities of Secure Shell (SSH) with the reliability, usability and configurability of a proven Windows® terminal emulator. ################################### details of Username Overflow(stack) ################################### Demonstration: 1) Open up SecureCRT 2) Connect to blackshell box 3) When Login type X x 300 4) Get Crash report like: SECURECRT caused an invalid page fault in module MSVCRT.DLL at 0177:7800cb6a. Registers: EAX=00720078 CS=0177 EIP=7800cb6a EFLGS=00010202 EBX=58585858 SS=017f ESP=0070b8a0 EBP=0070b8bc ECX=58585968 DS=017f ESI=00864bbc FS=6477 EDX=58585858 ES=017f EDI=00000006 GS=0000 Bytes at CS:EIP: 89 5a 04 8b 55 0c 89 4d fc 8b 5a 04 8b 52 08 89 Stack dump: 000002a6 00864bc0 00000006 00720dd4 58585858 <-- (X = 58 in hex) 00000031 00000110 0070b900 7800c6cd 0082000c 00864ccc 000002a6 000002b4 00000006 5f401867 0070b944 Although EIP wasn't overwritten we at blackshell found alot of other things overwritten, this can lead to exploitation as it is still possible to take control through the EBX reg ############################## details of pass overflow(heap) ############################## This are a heap Overflow as none of the registers are overwritten , which means that it must have been an overflow in the heap, which leads to a sigsegv and corruption of the heap. advanced details, same thing as uname one, same amount of characters: 1) open up SecureCRT 2) connect to blackshell lab box 3) type in at username prompt 4) put in 300 X's Result: it should say shit about not encrypting data then SECURECRT caused an invalid page fault in module MSVCRT.DLL at 0177:7800d07b. Registers: EAX=00720078 CS=0177 EIP=7800d07b EFLGS=00010206 EBX=0082000c SS=017f ESP=00701050 EBP=00701070 ECX=454645a5 DS=017f ESI=0000003f FS=348f EDX=0086500c ES=017f EDI=0000003f GS=0000 Bytes at CS:EIP: 89 4c 11 fc 8b 75 f0 03 d1 8d 4e 01 89 0a 89 4c Stack dump: 008626f0 000000a4 780012b1 81684c00 000000b0 00720dd4 454645a5 00000006 007010a4 7800c730 0082000c 008626f0 ffffffff 780012b1 00000001 00863970 #### note #### this test was conducted on win9x box, and a win2k advanced server box. under no circumstances are we liable for any misuse of this information ######## hi's to: ######## blackshell dev team, the blackshell server contributors and anyone who over the years has helped us make us what we are ####### contact ####### blackshellat_private -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAjwu9L0YHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut TsoAnjyz08FT8JZipHuldevUJQVMqw42AJ0WU9URlJqFlZkXUWOVb0RYiFJylg== =LtfT -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun Dec 30 2001 - 12:59:10 PST