SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   VShell Vendors:   Van Dyke Technologies
Van Dyke Technologies VShell SSH Gateway Allows Remote Execution of Arbitrary Code and Permits Authorized Users to Forward Connections to Any Host
SecurityTracker Alert ID:  1000944
SecurityTracker URL:  http://securitytracker.com/id/1000944
CVE Reference:   CAN-2001-0155   (Links to External Site)
Updated:  Feb 16 2001
Original Entry Date:  Feb 16 2001
Impact:   Execution of arbitrary code via network, Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): v1.0, v1.0.1
Description:   @Stake has released an advisory that there are two vulnerabilities in the Van Dyke Technologies VShell SSH gateway for Windows NT and Windows 2000. The first vulnerability is a buffer overflow in the handling of user names that can allow arbitrary code to be remotely executed. The second vulnerability is a default rule that allows authorized users to forward packets to any IP address.

There is a buffer overflow vulnerability that can be exploited via VShell's acceptance of user names. This can allow an attacker to remotely cause arbitrary code to be executed on the server with the privileges of the VShell server. The VShell service by default runs in the LocalSystem context.

Also, VShell installs with a default port forwarding rule of 0.0.0.0/0.0.0.0 to any port, which allows any user with a valid Windows account on the VShell SSH gateway and with knowledge of the Internal IP addressing scheme to port forward packets to any internally or externally hosted service which is accessible from the VShell SSH gateway.

See the @Stake advisory for more information.

Impact:   An attacker could remotely cause arbitrary code to be executed on the VShell gateway. An authorized user could cause packets to be forwarded to any IP address, possibly circumventing access controls.
Solution:   Update to the new version, VShell 1.0.2. See: http://www.vandyke.com/download/vshell
Vendor URL:  www.vandyke.com (Links to External Site)
Cause:   Boundary error, Configuration error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  @stake Advisory Notification: VShell code execution and port forw


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                               @stake Inc.
                            www.atstake.com

                           Security Advisory

Advisory Name: VShell code execution and port forwarding permissions
 Release Date: 02/16/2001
  Application: Van Dyke Technologies VShell v1.0 Official Release
                 Van Dyke Technologies VShell v1.0.1 Official Release
     Platform: Windows NT4 SP6a / Windows 2000 SP1
     Severity: Remote Arbitrary code execution as LocalSystem
       Author: Ollie Whitehouse [ollie@atstake.com]
                 David Litchfield [dlitchfield@atstake.com]
Vendor Status: vendor has fixed version available for download
            CVE: CAN-2001-0155, CAN-2001-0156
    Reference: www.atstake.com/research/advisories/2001/a021601-1.txt


Overview:

        Van Dyke Technologies VShell (http://www.vandyke.com/) is
the new SSH gateway for the Microsoft Windows NT and Windows 2000
platform. This enables existing SSH clients for a large number of
platforms to securely administer via a command console Windows NT
4 and Windows 2000 environments. In addition, like it's UNIX
counterparts, VShell enables port forwarding of services. Port
forwarding enables insecure protocols to be tunnelled over SSH
across the public Internet in an  encrypted manner. There exists
a vulnerability in the way in which VShell accepts usernames. This
vulnerability makes it susceptible to a buffer overflow attack that
could allow a malicious attacker to execute arbitrary code as the
VShell service. This service by default runs in the LocalSystem
context.

In addition to the above vulnerability by default VShell comes with
a port forwarding rule of 0.0.0.0/0.0.0.0 to any port. This would
allow any user with a valid Windows NT account on the SSH gateway and
prior knowledge of the Internal IP addressing scheme to port forward
to any internally or externally hosted service which is accessible from
the SSH  gateway.

This is another demonstration of why default rules within applications
should be reviewed before installing in hostile environments and that
application developers should review programming practices.

Vendor Response:

We commend Van Dyke Technologies for their handling of this issue.
They fixed the problem a few days after we notified them.  All
vendors should take security fixes this seriously.

New version available on web site:

        VShell 1.0.2 - http://www.vandyke.com/download/vshell


Advisory Reference:

http://www.atstake.com/research/advisories/2001/a021601-1.txt

** The advisory contains additional information.  We encourage those
** effected by this issue to read the advisory.
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.

Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOo2yrlESXwDtLdMhEQKz2gCdF/J7uZzbV22J8GPcZETYNPY0eggAniYK
WC40J+mSAaO2qw4LjMnzw/k8
=OLtG
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC