COMMAND

    VShell

SYSTEMS AFFECTED

    VShell 1.0, 1.0.1

PROBLEM

    Following  is  based  on  a  @stake  Advisory A021601-1.  Van Dyke
    Technologies  VShell  is  the  new  SSH  gateway for the Microsoft
    Windows NT and Windows 2000  platform.  This enables existing  SSH
    clients for  a large  number of  platforms to  securely administer
    via a command console Windows NT 4 and Windows 2000  environments.
    In  addition,  like  it's  UNIX  counterparts, VShell enables port
    forwarding  of   services.   Port   forwarding  enables   insecure
    protocols to be tunnelled over  SSH across the public Internet  in
    an encrypted manner.  There  exists a vulnerability in the  way in
    which  VShell  accepts  usernames.   This  vulnerability  makes it
    susceptible  to  a  buffer  overflow  attack  that  could  allow a
    malicious  attacker  to  execute  arbitrary  code  as  the  VShell
    service.  This service by default runs in the LocalSystem context.

    In addition  to the  above vulnerability  by default  VShell comes
    with a port forwarding rule of 0.0.0.0/0.0.0.0 to any port.   This
    would allow any user  with a valid Windows  NT account on the  SSH
    gateway and prior knowledge  of the Internal IP  addressing scheme
    to port  forward to  any internally  or externally  hosted service
    which is accessible from the SSH gateway.

    This  is  another  demonstration  of  why  default  rules   within
    applications  should  be  reviewed  before  installing  in hostile
    environments  and  that   application  developers  should   review
    programming practices.

SOLUTION

    Author fixed the  problem a few  days after @stake  notified them.
    All  vendors  should  take  security  fixes  this  seriously.  New
    version available on web site (Shell 1.0.2):

        http://www.vandyke.com/download/vshell