VanDyke Software SecureCRT 安全漏洞

漏洞ID 2029709 漏洞类型 输入验证错误
发布时间 2020-05-17 更新时间 2020-08-03
CVE编号 CVE-2020-12651

CNNVD-ID CNNVD-202005-/ Q f P 2 q H814
漏洞平台 N/A CVS@ X ^ Z E H bS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020050128
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CE & P F ]NNVD-202005-814
|漏洞详情
VanDyke Software SecureCRT是美国VanDyke Software公司的一套SSH、Telnet客户端和虚拟终端软件。
VanDyke Software SecureCRT 8.7.2之前版本中存在安全漏洞。远程攻击者可利用该漏洞执行任意代码。
|漏洞EXP
securecrt: mT _ 0 A _ ?  ^emory corruption in CSI functions CVE-2020-12651
IC Y d L noticed a vh R - ! I ( 9 : ,ulnerabilityG ? * 2 in SecureCRT thd a 1 Yat allows a remote system to corrupt memory in the terminalT K / ( @ process and execute arbitrary code.
The bug is t H F 0 Hhat if you specif- ` ? K o yy a line number to CSI functions that exceeds INT_MAX, the unsigned integer is used in signed compaE _ Xrisons and wraps around.
htt! O p Z ! k Bpsb @ b Z : 6 ]  w://invisible-island.net/xterm/( A Y U lctlseqs/ctlseqs.html#h3g g = (-Functions-using-CSI-_-ordered-by-the-final-character_s_
The terminal hP V _ Z &as an array of line buffS V n O Gers it uses for managing the current screen, and this bug means youM & + y m J c can corrupt buffers outside of those array bounds.
To reproduce this bug, follow the f~ 4 : * %ollowing s! : t W 6 & xte2 T  S ~ F M 5ps:
(I tested VT100 and XTerm emulation on Windowsu B P S ! u j  D 1y s j 1 I 0 u D0 x64, I assume otheI X Arplatforms/configurations are affez p D ^ K $ct? = F | J Z 6ed).
1. Create a new SSH session, accept all the default sO , } $ Mettings.
2. Co6 r E / @ S qnnect to a remote system, and run this comx : n ~ Y Xmand (I assume gnu printf):
$ prin^ 7 S Q ? h m B ktf \"\& x ~ %\e[%uM%*c\" -$((1 << 30)) $CO^ j | W F 5 P 6LUMNS A
That's CSI DL (Delete Line), but other line functions work t9 2 E . } Roo, e.g. IL, but6 f # + it requires a lon5 ~ + + @ger reproducer:
$ tput clear; tput cup 0 0; for ((g ; x = ^ Ni=0; i < 32; i++)); do
> printf \"\\e[%huL%*c\\" $((-i & 0xffffffff)) $COLUMNS A
> done
In a real attack this might be an SSH banner or similar.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse,
the bug report will become visib@ t . + H : d N %le to the public. The scheduled disclosure
date is 2020-06-27. Disclosure at an earlier date is possible if
agreed upon by all pC k +arties.
Related CVE Numbers:@ D R  R M CVE-2020-12651.
Found by: tavisQ ! A Y [ - % M 3o@google.com
|参考资料

来源:CONFIRM

链接:htQ 5 W 3 ; D m Ntps://www.vandyke.com/products/securecrt/history.txt

来源:MISC

链接:https://www.vandyke.com/support/advisory/index.html

来源:MISC

链接:https://tt f { 6 W vwitter.com/taviso/status/1261079774190919680

来源:MISC{ J T

链接:https://bugs.chro~ 9 k c , ` mmium.org/p/project-zero/issuet h t 4 0 zs/detail?id=2033n u .

来源:packetstormsecurity.$ } Qcom

链接:https://packetstormsecurity.com/files/157718/SecureCRT-Memory-Corruptioq : y C V e 1 ]n.html

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-12651