Advisory ID: EWS00001 Product: SecureCRT Vendor: www.vandyke.com Vulnerable Version(s): 7.0.3 and probably prior Tested Version: 7.0.3 Vendor Notification: February 23, 2013 Vendor Patch: No patch Public Disclosure: February 28, 2013 Vulnerability Type: Insecure password stored Risk Level: Medium Solution Status: Workaround by Vendor Discovered and Provided: Intersistemi Spa EWS Early Warning Services ( http://www.intersistemi.it/ ) ----------------------------------------------------------------------------------------------- Successful exploitation allows to malicious people show encrypted password stored in config file session .ini . Advisory Details To exploit the vulnerability: 1) Edit the .ini file for example change the username and put in a bad username For example S:"Server To Client MACs"=MD5,SHA1,SHA1-96,MD5-96 S:"Username"=root (change to roots) D:"Disable Resize"=00000002 D:"Audio Bell"=00000001 2) Save and try to connect the server. At this time the client try to establish a ssh connection, when the authentication fail the client show us a popup precompiled form whit username (false) and password obscured by asterisk 3) Now we use a simple software such as Asterisk Key for reveals Hidden Passwords ----------------------------------------------------------------------------------------------- Solution: In the interim, there are ways to work around the problem and mitigate the issue: 1) Do not save passwords. The ability to save passwords is a feature that many of our customers find convenient, even though it is not a best practice. 2) Disable saving passwords within SecureCRT. For administrators who want to ensure a high level of security, we strongly recommend disabling the save password functionality entirely. SecureCRT provides a GPO Administrative template to enable administrators to control whether saving passwords is allowed. Information about this administrative template can be found in the SecureCRT help under the "Administrative Template" topic. Individuals who desire more information regarding this administrative restriction should contact our technical support team: support@vandyke.com. ----------------------------------------------------------------------------------------------- -- Raffaele Addesso ______________________ Intersistemi EWS (Early Warning Service) Intersistemi Italia S.p.A. Via dei Galla e dei Sidama, 23 00199 - Rome (Italy)