Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: stake Advisories (stake)
Date: Fri Feb 16 2001 - 17:03:46 CST
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: VShell code execution and port forwarding permissions
Release Date: 02/16/2001
Application: Van Dyke Technologies VShell v1.0 Official Release
Van Dyke Technologies VShell v1.0.1 Official Release
Platform: Windows NT4 SP6a / Windows 2000 SP1
Severity: Remote Arbitrary code execution as LocalSystem
Author: Ollie Whitehouse [ollieatstake.com]
David Litchfield [dlitchfieldatstake.com]
Vendor Status: vendor has fixed version available for download
CVE: CAN-2001-0155, CAN-2001-0156
Van Dyke Technologies VShell (http://www.vandyke.com/) is
the new SSH gateway for the Microsoft Windows NT and Windows 2000
platform. This enables existing SSH clients for a large number of
platforms to securely administer via a command console Windows NT
4 and Windows 2000 environments. In addition, like it's UNIX
counterparts, VShell enables port forwarding of services. Port
forwarding enables insecure protocols to be tunnelled over SSH
across the public Internet in an encrypted manner. There exists
a vulnerability in the way in which VShell accepts usernames. This
vulnerability makes it susceptible to a buffer overflow attack that
could allow a malicious attacker to execute arbitrary code as the
VShell service. This service by default runs in the LocalSystem
In addition to the above vulnerability by default VShell comes with
a port forwarding rule of 0.0.0.0/0.0.0.0 to any port. This would
allow any user with a valid Windows NT account on the SSH gateway and
prior knowledge of the Internal IP addressing scheme to port forward
to any internally or externally hosted service which is accessible from
the SSH gateway.
This is another demonstration of why default rules within applications
should be reviewed before installing in hostile environments and that
application developers should review programming practices.
We commend Van Dyke Technologies for their handling of this issue.
They fixed the problem a few days after we notified them. All
vendors should take security fixes this seriously.
New version available on web site:
VShell 1.0.2 - http://www.vandyke.com/download/vshell
** The advisory contains additional information. We encourage those
** effected by this issue to read the advisory.
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.
Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net