SecureCRT Memory Corruption

2020.05.17
Credit: Tavis Ormandy
Risk: High
Local: No
Remote: Yes
CWE: CWE-190


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

securecrt: memory corruption in CSI functions CVE-2020-12651 I noticed a vulnerability in SecureCRT that allows a remote system to corrupt memory in the terminal process and execute arbitrary code. The bug is that if you specify a line number to CSI functions that exceeds INT_MAX, the unsigned integer is used in signed comparisons and wraps around. https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Functions-using-CSI-_-ordered-by-the-final-character_s_ The terminal has an array of line buffers it uses for managing the current screen, and this bug means you can corrupt buffers outside of those array bounds. To reproduce this bug, follow the following steps: (I tested VT100 and XTerm emulation on Windows 10 x64, I assume otherplatforms/configurations are affected). 1. Create a new SSH session, accept all the default settings. 2. Connect to a remote system, and run this command (I assume gnu printf): $ printf \"\\e[%uM%*c\" -$((1 << 30)) $COLUMNS A That's CSI DL (Delete Line), but other line functions work too, e.g. IL, but it requires a longer reproducer: $ tput clear; tput cup 0 0; for ((i=0; i < 32; i++)); do > printf \"\\e[%huL%*c\\" $((-i & 0xffffffff)) $COLUMNS A > done In a real attack this might be an SSH banner or similar. This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2020-06-27. Disclosure at an earlier date is possible if agreed upon by all parties. Related CVE Numbers: CVE-2020-12651. Found by: taviso@google.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top