OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: stake Advisories (stake)
Date: Fri Feb 16 2001 - 17:03:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                   stake Inc.
                                www.atstake.com

                               Security Advisory

    Advisory Name: VShell code execution and port forwarding permissions
     Release Date: 02/16/2001
      Application: Van Dyke Technologies VShell v1.0 Official Release
                     Van Dyke Technologies VShell v1.0.1 Official Release
         Platform: Windows NT4 SP6a / Windows 2000 SP1
         Severity: Remote Arbitrary code execution as LocalSystem
           Author: Ollie Whitehouse [ollieatstake.com]
                     David Litchfield [dlitchfieldatstake.com]
    Vendor Status: vendor has fixed version available for download
                CVE: CAN-2001-0155, CAN-2001-0156
        Reference: www.atstake.com/research/advisories/2001/a021601-1.txt

    Overview:

            Van Dyke Technologies VShell (http://www.vandyke.com/) is
    the new SSH gateway for the Microsoft Windows NT and Windows 2000
    platform. This enables existing SSH clients for a large number of
    platforms to securely administer via a command console Windows NT
    4 and Windows 2000 environments. In addition, like it's UNIX
    counterparts, VShell enables port forwarding of services. Port
    forwarding enables insecure protocols to be tunnelled over SSH
    across the public Internet in an encrypted manner. There exists
    a vulnerability in the way in which VShell accepts usernames. This
    vulnerability makes it susceptible to a buffer overflow attack that
    could allow a malicious attacker to execute arbitrary code as the
    VShell service. This service by default runs in the LocalSystem
    context.

    In addition to the above vulnerability by default VShell comes with
    a port forwarding rule of 0.0.0.0/0.0.0.0 to any port. This would
    allow any user with a valid Windows NT account on the SSH gateway and
    prior knowledge of the Internal IP addressing scheme to port forward
    to any internally or externally hosted service which is accessible from
    the SSH gateway.

    This is another demonstration of why default rules within applications
    should be reviewed before installing in hostile environments and that
    application developers should review programming practices.

    Vendor Response:

    We commend Van Dyke Technologies for their handling of this issue.
    They fixed the problem a few days after we notified them. All
    vendors should take security fixes this seriously.

    New version available on web site:

            VShell 1.0.2 - http://www.vandyke.com/download/vshell

    Advisory Reference:

    http://www.atstake.com/research/advisories/2001/a021601-1.txt

    ** The advisory contains additional information. We encourage those
    ** effected by this issue to read the advisory.
    **
    ** All vulnerablity database maintainers should reference the above
    ** advisory reference URL to refer to this advisory.

    Advisory policy: http://www.atstake.com/research/policy/
    For more advisories: http://www.atstake.com/research/index.html
    PGP Key: http://www.atstake.com/research/pgp_key.asc
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    iQA/AwUBOo2yrlESXwDtLdMhEQKz2gCdF/J7uZzbV22J8GPcZETYNPY0eggAniYK
    WC40J+mSAaO2qw4LjMnzw/k8
    =OLtG
    -----END PGP SIGNATURE-----

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net