|
#######################################################################
Luigi Auriemma
Application: VanDyke VShell
http://www.vandyke.com/products/vshell/index.html
Versions: <= 3.0.3.569
Platforms: Windows mainly affected, anyway the server works also on
Linux, Solaris, FreeBSD, Mac OS X, HP-UX and AIX
Bug: exception error message (or termination if in debug mode)
Exploitation: remote
Date: 02 Jan 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
VanDyke VShell is a commercial SSH server.
#######################################################################
======
2) Bug
======
The VShell server showes a message box if an exception occurs (I talk
about the program when runs on the Windows platform).
Other than this message on the screen there are no other side effects,
the server will continue to work normally and the remote users will
see no problems.
ONLY if the admin clicks on the message box the server will terminate
or the termination will be automatic if the server is running in debug
mode.
The exception to exploit for causing this problem is in Get_mpint of
SSH2Core43U.dll using a wrong size of the exchanged keys data.
Important note:
naturally this bug can't be defined a real security risk due to the
previous explanation, I have decided to keep track of this problem only
for thoroughness and because it remains a small problem for the
administrators which see the error message.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/vshellmsg.zip
#######################################################################
======
4) Fix
======
As already said this bug can't be considered a real security risk.
#######################################################################
|
