Van Dyke Technologies VShell SSH Gateway Allows Remote Execution of Arbitrary Code and Permits Authorized Users to Forward Connections to Any Host
SecurityTracker Alert ID: 1000944|
SecurityTracker URL: http://securitytracker.com/id/1000944
(Links to External Site)
Updated: Feb 16 2001|
Original Entry Date: Feb 16 2001
Execution of arbitrary code via network, Host/resource access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): v1.0, v1.0.1|
@Stake has released an advisory that there are two vulnerabilities in the Van Dyke Technologies VShell SSH gateway for Windows NT and Windows 2000. The first vulnerability is a buffer overflow in the handling of user names that can allow arbitrary code to be remotely executed. The second vulnerability is a default rule that allows authorized users to forward packets to any IP address.|
There is a buffer overflow vulnerability that can be exploited via VShell's acceptance of user names. This can allow an attacker to remotely cause arbitrary code to be executed on the server with the privileges of the VShell server. The VShell service by default runs in the LocalSystem context.
Also, VShell installs with a default port forwarding rule of 0.0.0.0/0.0.0.0 to any port, which allows any user with a valid Windows account on the VShell SSH gateway and with knowledge of the Internal IP addressing scheme to port forward packets to any internally or externally hosted service which is accessible from the VShell SSH gateway.
See the @Stake advisory for more information.
An attacker could remotely cause arbitrary code to be executed on the VShell gateway. An authorized user could cause packets to be forwarded to any IP address, possibly circumventing access controls.|
Update to the new version, VShell 1.0.2. See: http://www.vandyke.com/download/vshell|
Vendor URL: www.vandyke.com (Links to External Site)
Boundary error, Configuration error|
|Underlying OS: Windows (NT), Windows (2000)|
Source Message Contents
Subject: @stake Advisory Notification: VShell code execution and port forw|
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: VShell code execution and port forwarding permissions
Release Date: 02/16/2001
Application: Van Dyke Technologies VShell v1.0 Official Release
Van Dyke Technologies VShell v1.0.1 Official Release
Platform: Windows NT4 SP6a / Windows 2000 SP1
Severity: Remote Arbitrary code execution as LocalSystem
Author: Ollie Whitehouse [firstname.lastname@example.org]
David Litchfield [email@example.com]
Vendor Status: vendor has fixed version available for download
CVE: CAN-2001-0155, CAN-2001-0156
Van Dyke Technologies VShell (http://www.vandyke.com/) is
the new SSH gateway for the Microsoft Windows NT and Windows 2000
platform. This enables existing SSH clients for a large number of
platforms to securely administer via a command console Windows NT
4 and Windows 2000 environments. In addition, like it's UNIX
counterparts, VShell enables port forwarding of services. Port
forwarding enables insecure protocols to be tunnelled over SSH
across the public Internet in an encrypted manner. There exists
a vulnerability in the way in which VShell accepts usernames. This
vulnerability makes it susceptible to a buffer overflow attack that
could allow a malicious attacker to execute arbitrary code as the
VShell service. This service by default runs in the LocalSystem
In addition to the above vulnerability by default VShell comes with
a port forwarding rule of 0.0.0.0/0.0.0.0 to any port. This would
allow any user with a valid Windows NT account on the SSH gateway and
prior knowledge of the Internal IP addressing scheme to port forward
to any internally or externally hosted service which is accessible from
the SSH gateway.
This is another demonstration of why default rules within applications
should be reviewed before installing in hostile environments and that
application developers should review programming practices.
We commend Van Dyke Technologies for their handling of this issue.
They fixed the problem a few days after we notified them. All
vendors should take security fixes this seriously.
New version available on web site:
VShell 1.0.2 - http://www.vandyke.com/download/vshell
** The advisory contains additional information. We encourage those
** effected by this issue to read the advisory.
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.
Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: firstname.lastname@example.org