blackshell1: Multiple Prolems with Vandykes SecureCRT

[blackshell () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

#####################################################
#--blackshell security advisory no1--#              #
#--multiple vulnerabilities in Vandykes SecureCRT--##
#####################################################

########################
vendor details & history
########################

SecureCRT 2.*
SecureCRT 3.* (New version 3.4 is vulnerable)

By: Vandyke Technologies http://www.vandyke.com/products/securecrt
Price: 1 license $99, Bundle with SecureFX $129

http://www.vandyke.com/products/securecrt/history.txt

SecureCRT combines the secure logon and data transfer capabilities of Secure Shell
(SSH) with the reliability, usability and configurability of a proven Windows®
terminal emulator.

###################################
details of Username Overflow(stack)
###################################

Demonstration:
1) Open up SecureCRT
2) Connect to blackshell box
3) When Login type X x 300
4) Get Crash report like:

SECURECRT caused an invalid page fault in
module MSVCRT.DLL at 0177:7800cb6a.
Registers:
EAX=00720078 CS=0177 EIP=7800cb6a EFLGS=00010202
EBX=58585858 SS=017f ESP=0070b8a0 EBP=0070b8bc
ECX=58585968 DS=017f ESI=00864bbc FS=6477
EDX=58585858 ES=017f EDI=00000006 GS=0000
Bytes at CS:EIP:
89 5a 04 8b 55 0c 89 4d fc 8b 5a 04 8b 52 08 89
Stack dump:
000002a6 00864bc0 00000006 00720dd4 58585858 <-- (X = 58 in hex)
00000031 00000110 0070b900 7800c6cd 0082000c
00864ccc 000002a6 000002b4 00000006 5f401867
0070b944

Although EIP wasn't overwritten we at blackshell found alot of other
things overwritten, this can lead to exploitation as it is still
possible to take control through the EBX reg

##############################
details of pass overflow(heap)
##############################

This are a heap Overflow as none of the registers are overwritten
, which means that it must have been an overflow in the heap, which leads
to a sigsegv and corruption of the heap. advanced details, same thing as uname
one, same amount of characters:

1) open up SecureCRT
2) connect to blackshell lab box
3) type in  at username prompt
4) put in 300 X's

Result:
it should say shit about not encrypting data then

SECURECRT caused an invalid page fault in
module MSVCRT.DLL at 0177:7800d07b.
Registers:
EAX=00720078 CS=0177 EIP=7800d07b EFLGS=00010206
EBX=0082000c SS=017f ESP=00701050 EBP=00701070
ECX=454645a5 DS=017f ESI=0000003f FS=348f
EDX=0086500c ES=017f EDI=0000003f GS=0000
Bytes at CS:EIP:
89 4c 11 fc 8b 75 f0 03 d1 8d 4e 01 89 0a 89 4c
Stack dump:
008626f0 000000a4 780012b1 81684c00 000000b0 00720dd4
454645a5 00000006 007010a4 7800c730 0082000c 008626f0
ffffffff 780012b1 00000001 00863970

####
note
####

this test was conducted on win9x box, and a win2k advanced server
box. under no circumstances are we liable for any misuse of this
information

########
hi's to:
########

blackshell dev team, the blackshell server contributors and anyone who
over the years has helped us make us what we are

#######
contact
#######

blackshell () hushmail com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjwu9L0YHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
TsoAnjyz08FT8JZipHuldevUJQVMqw42AJ0WU9URlJqFlZkXUWOVb0RYiFJylg==
=LtfT
-----END PGP SIGNATURE-----