VanDyke Software

Security Advisory

Security Advisory—CRT and SecureCRT® 4.0, 4.1

VanDyke Software has released CRT 4.1.9 and SecureCRT 4.1.9 to eliminate a security issue in CRT and SecureCRT 4.0 and 4.1. When launching CRT or SecureCRT from a URL, if CRT or SecureCRT was selected as the default Telnet client, it was possible to run a malicious logon script because of the ability to specify the configuration folder on the command line. If CRT or SecureCRT are launched from a URL, any /F option will be ignored.


Posted: November 23, 2004

Description

When launching CRT and SecureCRT 4.0 and 4.1 from a URL, this vulnerability allowed the attacker to run a malicious logon script because of the ability to specify the configuration folder on the command line. Successful exploitation allows execution of arbitrary commands via a malicious logon script with the privileges of the user running CRT or SecureCRT.

This vulnerability is only applicable to users who have made CRT or SecureCRT their default Telnet client.

CRT 4.1.9 and SecureCRT 4.1.9 (or newer) provide a fix for this vulnerability. CRT and SecureCRT no longer allow the configuration folder (/F option) to be passed to the command line if the command line is part of a URL. Other command-line arguments are still supported and must come before the URL.

Earlier versions of these client applications may be vulnerable as well. VanDyke encourages all users whose licenses were purchased prior to October 26, 2004 to consider upgrading to the current version(s) of their licensed applications.

Affected Software Versions

SecureCRT 4.1 or earlier
CRT 4.1 or earlier

 

Vulnerability Fix Downloads

SecureCRT 4.1.9 - http://www.vandyke.com/download/securecrt/download.html
CRT 4.1.9 - http://www.vandyke.com/download/crt/index.html

 

Upgrade eligibility for registered users of CRT or SecureCRT
VanDyke recommends that all users of versions 4.0 and 4.1 consider upgrading to 4.1.9 or newer. CRT and SecureCRT users who purchased licenses on or after August 1, 2002 can upgrade to the 4.1.9 release without charge.

 

Workaround for versions of CRT and SecureCRT prior to 4.1.9
The remote execution vulnerability only affects users who have CRT or SecureCRT set to be their default Telnet client. The appropriate registry key can be modified to no longer point to CRT or SecureCRT.

The following link resolves to: telnet://localhost. If clicking on the link does not bring up CRT or SecureCRT, then you are not vulnerable since CRT or SecureCRT is not set to be your default Telnet client.

What is my default Telnet client?

If clicking on the above link launches CRT or SecureCRT, the situation can be resolved as follows:

WARNING: If you use the registry editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Before making changes to the registry, you should back up any valued data on your computer.

  1. Open the Windows registry editor (Start / Run, regedit) and browse to the following registry key:

    HKEY_CLASSES_ROOT\telnet\shell\open\command

  2. Modify the "(Default)" value, changing it to:

    rundll32.exe url.dll,TelnetProtocolHandler %l

    Note: in the above example, it's "%[el]", rather than "%[one]"

  3. Close the registry editor.

At this point, clicking on the following link should bring up the built-in Windows Telnet client rather than CRT or SecureCRT:

What is my default Telnet client now?

Once the default Telnet client has been reset, launching CRT or SecureCRT may present the following prompt when the application is launched:

"SecureCRT is not currently your default Telnet application. Would you like to make SecureCRT your default Telnet application?"

To prevent SecureCRT from presenting this prompt again, clear the "Always perform this check when starting SecureCRT" option and choose "No".

The following VBScript code can be used to make this change if this needs to be performed for a large group of users (as a logon script, for example):

Set WshShell = CreateObject("WScript.Shell")
Key = "HKCR\telnet\shell\open\command\"
Value = "rundll32.exe url.dll,TelnetProtocolHandler %l"
WshShell.RegWrite Key, Value, "REG_SZ"

 

Alternative workaround
Alternatively, the administrator option "Disable All Scripting" can be set as a mitigation to this threat. For assistance with disabling all scripting in CRT or SecureCRT on an administrator level, please contact VanDyke Software .

 

Technical Support

For further information on the security advisory, please contact VanDyke Software.
 

Official Postings

The original posting of this vulnerability was made on the Security-Assessment.com (pdf) web site on November 23, 2004.
Secunia published an advisory on this vulnerability on November 23, 2004.
VanDyke published this page on November 29, 2004.
VanDyke announced this vulnerability and provided a fix on October 26, 2004.

 

Revision History

November 29, 2004 - Security Advisory published.