[26364] in bugtraq
Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta
daemon@ATHENA.MIT.EDU (Bela Lubkin)
Sat Jul 27 20:55:56 2002
Date: Fri, 26 Jul 2002 15:41:10 -0700
From: Bela Lubkin <belal@caldera.com>
To: bugtraq@securityfocus.com
Message-ID: <20020726154110.A7856@mammoth.ca.caldera.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <JIEPJGFPFMFIGBNCPKGGGEJHCLAA.bstrauss3@attbi.com>; from bstrauss3@attbi.com on Fri, Jul 26, 2002 at 03:42:10PM -0500
Burton M. Strauss III wrote:
> You know, that's only partially a solution. For those of us who haven't
> chosen to PAY for the upgrade to 3.4, we're left out in the cold. Quoting
> from VanDyke's web page:
>
> "All users may evaluate SecureCRT 3.4 for 30 days free of charge. Registered
> users who purchased licenses before July 1, 2000 should consult the Upgrade
> Eligibility page to learn about licensing the 3.4 upgrade."
>
> and
>
> "SecureCRT Upgrade
>
> Registered users who purchased licenses before July 1, 2001 may choose to
> purchase SecureCRT upgrades starting at $39.95 for a single copy.
>
> <snip />
>
> SecureCRT users who purchased licenses between January 1 and July 1, 2000
> are eligible to download SecureCRT 3.3.3 and upgrade without charge.
> SecureCRT users who purchased licenses before January 1, 2000 are eligible
> to download SecureCRT 3.2.1 and upgrade without charge."
>
>
> I'm not unsympathetic to the need to have a licensing revenue stream, but
> let's remember that this leaves (dozens? hundreds? thousands? Just me) of
> your customers unprotected.
One of the README files on their site (I read it earlier today and
didn't note the URL) says that a patched 3.2.1 version will be made
available shortly. They are not leaving you out in the cold. You just
need to wait a couple of days before resuming your practice of ssh'ing
in to untrusted sites.
(BTW, if sshd on a site might be a corrupted, malicious trojan which
injects code into your local ssh client -- might it not also be a
corrupted, malicious trojan which records encrypted password
information, passes on a decrypted stream of everything you type in a
session, or who knows what else? If you do not trust the sshd to which
you are connecting, I'm not sure it makes very much difference whether
the client has code-injection portholes or not...)
>Bela<
