####################################################################### Luigi Auriemma Application: VanDyke VShell http://www.vandyke.com/products/vshell/index.html Versions: <= 3.0.3.569 Platforms: Windows mainly affected, anyway the server works also on Linux, Solaris, FreeBSD, Mac OS X, HP-UX and AIX Bug: exception error message (or termination if in debug mode) (note that the effect could be non replicable on Windows Server since depends by how are handled the errors) Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== VanDyke VShell is a commercial SSH server. ####################################################################### ====== 2) Bug ====== The VShell server showes a message box if an exception occurs (I talk about the program when runs on the Windows platform). Other than this message on the screen there are no other side effects, the server will continue to work normally and the remote users will see no problems. ONLY if the admin clicks on the message box the server will terminate or the termination will be automatic if the server is running in debug mode. The exception to exploit for causing this problem is in SSH2Core.?Get_mpint@SSHPacket@SSH2@@QAE_NPAEAAII@Z where the Get_raw_pointer function checks the amount of available bytes in the packet and the 32 bit number specified by the client. If this one is major (signed comparison) will be called CxxThrowException. If exploited, the integer bypassing derived by the previous signed comparison will then lead to another exception later. Important note: naturally this bug can't be defined a real security risk due to the previous explanation, I have decided to keep track of this problem only for thoroughness and because it remains a small problem for the administrators which see the error message. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/vshellmsg.zip ####################################################################### ====== 4) Fix ====== As already said this bug can't be considered a real security risk. #######################################################################