[26366] in bugtraq
Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta
daemon@ATHENA.MIT.EDU (Bela Lubkin)
Sun Jul 28 03:50:18 2002
Date: Sat, 27 Jul 2002 22:22:54 -0700
From: Bela Lubkin <belal@caldera.com>
To: bugtraq@securityfocus.com
Message-ID: <20020727222254.A17136@mammoth.ca.caldera.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.40.0207271922190.26417-100000@ucsub.colorado.edu>; from hardingr@ucsub.colorado.edu on Sat, Jul 27, 2002 at 07:32:48PM -0600
Russell Harding wrote:
> Of course it matters if the client has code-injection 'portholes' as you
> call them. Someone may be using nasty tricks through ARP, DNS, or even
> manipulating routing tables, such that you are not actually connecting to
> a host you trust. This is why ssh implements host keys, so you can verify
> the authenticicy of the remote host. However, in the case described
> above, with SecureCRT, your machine would already be compromised before
> host key verification took place.
Thanks (and to Jim Paris).
I of course did not mean that it was OK for the client to have code
injection "portholes". I just meant that the particular exploit path
that was described wasn't very interesting since someone who maliciously
controls the sshd to which you are speaking has so many other
opportunities to exploit you.
>Bela<
