what you don't know can hurt you

SecureCRT Memory Corruption

SecureCRT Memory Corruption
Posted May 15, 2020
Authored by Tavis Ormandy, Google Security Research

SecureCRT suffers from a memory corruption vulnerability in CSI functions.

tags | exploit
advisories | CVE-2020-12651
MD5 | e90a6d22c2cdbe99b5796b3c3e382581

SecureCRT Memory Corruption

Change Mirror Download
securecrt: memory corruption in CSI functions CVE-2020-12651

I noticed a vulnerability in SecureCRT that allows a remote system to corrupt memory in the terminal process and execute arbitrary code.

The bug is that if you specify a line number to CSI functions that exceeds INT_MAX, the unsigned integer is used in signed comparisons and wraps around.

https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Functions-using-CSI-_-ordered-by-the-final-character_s_

The terminal has an array of line buffers it uses for managing the current screen, and this bug means you can corrupt buffers outside of those array bounds.

To reproduce this bug, follow the following steps:
(I tested VT100 and XTerm emulation on Windows 10 x64, I assume otherplatforms/configurations are affected).


1. Create a new SSH session, accept all the default settings.
2. Connect to a remote system, and run this command (I assume gnu printf):

$ printf \"\\e[%uM%*c\" -$((1 << 30)) $COLUMNS A

That's CSI DL (Delete Line), but other line functions work too, e.g. IL, but it requires a longer reproducer:

$ tput clear; tput cup 0 0; for ((i=0; i < 32; i++)); do
> printf \"\\e[%huL%*c\\" $((-i & 0xffffffff)) $COLUMNS A
> done

In a real attack this might be an SSH banner or similar.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse,
the bug report will become visible to the public. The scheduled disclosure
date is 2020-06-27. Disclosure at an earlier date is possible if
agreed upon by all parties.


Related CVE Numbers: CVE-2020-12651.



Found by: taviso@google.com

Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    17 Files
  • 25
    Jan 25th
    34 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close