'[Full-disclosure] Advisory Notification'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Advisory Notification
From:       Raffaele Addesso <r.addesso () intersistemi ! it>
Date:       2013-02-28 11:53:11
Message-ID: CAK2yVmEoV=4HU3=juRbcx-HJZsZT2Zq3rNFAuQQxvFnjWbF4Tw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Advisory ID: EWS00001
Product: SecureCRT
Vendor: www.vandyke.com
Vulnerable Version(s): 7.0.3 and probably prior
Tested Version: 7.0.3
Vendor Notification: February 23, 2013
Vendor Patch: No patch
Public Disclosure: February 28, 2013
Vulnerability Type: Insecure password stored
Risk Level: Medium
Solution Status: Workaround by Vendor
Discovered and Provided: Intersistemi Spa EWS Early Warning Services (
http://www.intersistemi.it/ )

-----------------------------------------------------------------------------------------------
Successful exploitation allows to malicious people show encrypted password
stored in config file
session .ini .

Advisory Details

To exploit the vulnerability:

1) Edit the .ini file for example change the username and put in a bad
username

For example

S:"Server To Client MACs"=MD5,SHA1,SHA1-96,MD5-96
S:"Username"=root  (change to roots)
D:"Disable Resize"=00000002
D:"Audio Bell"=00000001

2) Save and try to connect the server. At this time the client try to
establish a ssh connection, when the
authentication fail the client show us a popup precompiled form whit
username (false) and password obscured by asterisk


3) Now we use a simple software such as Asterisk Key for reveals Hidden
Passwords



-----------------------------------------------------------------------------------------------

Solution:

In the interim, there are ways to work around the problem
and mitigate the issue:

   1) Do not save passwords. The ability to save passwords is
      a feature that many of our customers find convenient,
      even though it is not a best practice.

   2) Disable saving passwords within SecureCRT.  For
      administrators who want to ensure a high level of
      security, we strongly recommend disabling the save
      password functionality entirely.  SecureCRT provides a
      GPO Administrative template to enable administrators to
      control whether saving passwords is allowed. Information
      about this administrative template can be found in the
      SecureCRT help under the "Administrative Template"
      topic. Individuals who desire more information regarding
      this administrative restriction should contact our
      technical support team: support@vandyke.com.

-----------------------------------------------------------------------------------------------

-- 
Raffaele Addesso
______________________
Intersistemi EWS (Early Warning Service)
Intersistemi Italia S.p.A.
Via dei Galla e dei Sidama, 23
00199 - Rome (Italy)

[Attachment #5 (text/html)]

<div>Advisory ID: EWS00001</div><div>Product: SecureCRT</div><div>Vendor: <a \
href="http://www.vandyke.com">www.vandyke.com</a></div><div>Vulnerable Version(s): 7.0.3 and \
probably prior</div><div>Tested Version: 7.0.3</div>

<div>Vendor Notification: February 23, 2013 </div><div>Vendor Patch: No patch </div><div>Public \
Disclosure: February 28, 2013 </div><div>Vulnerability Type: Insecure password \
stored</div><div>Risk Level: Medium </div><div>

Solution Status: Workaround by Vendor</div><div>Discovered and Provided: Intersistemi Spa EWS \
Early Warning Services ( <a href="http://www.intersistemi.it/">http://www.intersistemi.it/</a> \
) </div><div><br></div><div>-----------------------------------------------------------------------------------------------</div>


<div>Successful exploitation allows to malicious people show encrypted password stored in \
config file </div><div>session .ini .</div><div><br></div><div>Advisory \
Details</div><div><br></div><div>To exploit the vulnerability:</div>

<div><br></div><div>1) Edit the .ini file for example change the username and put in a bad \
username</div><div><br></div><div>For example</div><div><br></div><div>S:&quot;Server To Client \
MACs&quot;=MD5,SHA1,SHA1-96,MD5-96</div>

<div>S:&quot;Username&quot;=root  (change to roots)</div><div>D:&quot;Disable \
Resize&quot;=00000002</div><div>D:&quot;Audio Bell&quot;=00000001</div><div><br></div><div>2) \
Save and try to connect the server. At this time the client try to establish a ssh connection, \
when the </div>

<div>authentication fail the client show us a popup precompiled form whit username (false) and \
password obscured by asterisk</div><div><br></div><div><br></div><div>3) Now we use a simple \
software such as Asterisk Key for reveals Hidden Passwords </div>

<div><br></div><div><br></div><div><br></div><div>---------------------------------------------- \
-------------------------------------------------</div><div><br></div><div>Solution:</div><div><br></div><div>In \
the interim, there are ways to work around the problem</div>

<div>and mitigate the issue:</div><div><br></div><div>   1) Do not save passwords. The ability \
to save passwords is</div><div>      a feature that many of our customers find \
convenient,</div><div>      even though it is not a best practice.</div>

<div><br></div><div>   2) Disable saving passwords within SecureCRT.  For</div><div>      \
administrators who want to ensure a high level of</div><div>      security, we strongly \
recommend disabling the save</div><div>      password functionality entirely.  SecureCRT \
provides a</div>

<div>      GPO Administrative template to enable administrators to</div><div>      control \
whether saving passwords is allowed. Information</div><div>      about this administrative \
template can be found in the</div><div>

      SecureCRT help under the &quot;Administrative Template&quot;</div><div>      topic. \
Individuals who desire more information regarding</div><div>      this administrative \
restriction should contact our</div><div>      technical support team: <a \
href="mailto:support@vandyke.com">support@vandyke.com</a>.</div>

<div><br></div><div>-----------------------------------------------------------------------------------------------</div><div><br></div>-- \
<br>Raffaele Addesso<br>______________________<br><span \
style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Intersistemi \
EWS (Early Warning Service)</span><br>

Intersistemi Italia S.p.A.<br>Via dei Galla e dei Sidama, 23<br>00199 - Rome (Italy)<br><br>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic