Vulnerabilities > CVE-2002-1059 - Unspecified vulnerability in VAN Dyke Technologies Securecrt

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
van-dyke-technologies
nessus
exploit available
metasploit

Summary

Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x before 4.0 beta 3, allows an SSH server to execute arbitrary code via a long SSH1 protocol version string.

Exploit-Db

  • descriptionSecureCRT 2.4/3.x/4.0 SSH1 Identifier String Buffer Overflow Vulnerability (1). CVE-2002-1059. Dos exploit for windows platform
    idEDB-ID:21634
    last seen2016-02-02
    modified2002-07-23
    published2002-07-23
    reporterKyuzo
    sourcehttps://www.exploit-db.com/download/21634/
    titleSecureCRT 2.4/3.x/4.0 SSH1 Identifier String Buffer Overflow Vulnerability 1
  • descriptionSecureCRT. CVE-2002-1059. Remote exploit for windows platform
    idEDB-ID:16460
    last seen2016-02-01
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16460/
    titleSecureCRT <= 4.0 Beta 2 SSH1 - Buffer Overflow
  • descriptionSecureCRT 2.4/3.x/4.0 SSH1 Identifier String Buffer Overflow Vulnerability (2). CVE-2002-1059. Remote exploit for windows platform
    idEDB-ID:21635
    last seen2016-02-02
    modified2002-07-23
    published2002-07-23
    reporterandrea lisci
    sourcehttps://www.exploit-db.com/download/21635/
    titleSecureCRT 2.4/3.x/4.0 SSH1 Identifier String Buffer Overflow Vulnerability 2

Metasploit

descriptionThis module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2. By sending a vulnerable client an overly long SSH1 protocol identifier string, it is possible to execute arbitrary code. This module has only been tested on SecureCRT 3.4.4.
idMSF:EXPLOIT/WINDOWS/SSH/SECURECRT_SSH1
last seen2020-05-22
modified2017-07-24
published2006-12-14
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1059
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ssh/securecrt_ssh1.rb
titleSecureCRT SSH1 Buffer Overflow

Nessus

NASL familyWindows
NASL idSECURECRT_REMOTE_OVERFLOW.NASL
descriptionThe remote host is using a vulnerable version of SecureCRT, a SSH/Telnet client built for Microsoft Windows operating systems. It has been reported that SecureCRT contains a remote buffer overflow allowing an SSH server to execute arbitrary commands via an especially long SSH1 protocol version string.
last seen2020-06-01
modified2020-06-02
plugin id15822
published2004-11-24
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15822
titleSecureCRT SSH-1 Protocol Version String Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15822);
 script_version("1.18");
 script_cvs_date("Date: 2018/07/27 18:38:15");

 script_cve_id("CVE-2002-1059");
 script_bugtraq_id(5287);

 script_name(english:"SecureCRT SSH-1 Protocol Version String Remote Overflow");
 script_summary(english:"Determines the version of SecureCRT");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected by a buffer
overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote host is using a vulnerable version of SecureCRT, a
SSH/Telnet client built for Microsoft Windows operating systems.

It has been reported that SecureCRT contains a remote buffer overflow
allowing an SSH server to execute arbitrary commands via an especially
long SSH1 protocol version string.");
 script_set_attribute(attribute:"solution", value:"Upgrade to SecureCRT 3.2.2, 3.3.4, 3.4.6, 4.1 or newer");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SecureCRT SSH1 Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/24");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 script_dependencies("smb_hotfixes.nasl");
 script_require_keys("SMB/Registry/Enumerated");
 script_require_ports(139, 445);
 exit(0);
}

include("smb_func.inc");
include("audit.inc");

# Connect to the appropriate share.
name    =  kb_smb_name();
port    =  kb_smb_transport();

login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  exit(0);
}

# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}

key = "SOFTWARE\VanDyke\SecureCRT\License";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if ( isnull(key_h) )
{
 key = "SOFTWARE/VanDyke/SecureCRT/Evaluation License/Version";
 if ( isnull(key_h) )
 {
  RegCloseKey(handle:hklm);
  NetUseDel();
  exit(0);
 }
}

version = RegQueryValue(handle:key_h, item:"Version");
RegCloseKey(handle:key_h);
RegCloseKey(handle:hklm);
NetUseDel();
if ( !isnull(version) )
{
 set_kb_item(name:"SMB/SecureCRT/Version", value:version[1]);
 if (egrep(pattern:"^(2\.|3\.([01]|2[^.]|2\.1[^0-9]|3[^.]|3\.[1-3][^0-9]|4[^.]|4\.[1-5][^0-9])|4\.0 beta [12]([^0-9]|$))", string:version[1]))
  security_hole(kb_smb_transport());
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82992/securecrt_ssh1.rb.txt
idPACKETSTORM:82992
last seen2016-12-05
published2009-11-26
reporterMC
sourcehttps://packetstormsecurity.com/files/82992/SecureCRT-4.0-Beta-2-SSH1-Buffer-Overflow.html
titleSecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow