[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    DameWare Mini Remote Control Server <= 3.72 Buffer Overflow
From:       "wirepair" <wirepair () roguemail ! net>
Date:       2003-12-14 15:10:41
[Download RAW message or body]

Product: DameWare Mini Remote Control <= 3.72.0.0
Vulnerability: Pre-Authentication Buffer Overflow
Severity: High Risk
Status: Vendor responded very quickly and has resolved the issue in 3.73 and later. 
The new version can be downloaded from http://www.dameware.com/downloads.

Description:
A buffer overflow vulnerability can be exploited remotely by an unauthenticated \
attacker who can access the DameWare Mini Remote Control Server. By default (DameWare \
Remote Control  Server) DWRCS listens on port 6129 TCP. By constructing fake \
communication packets pretending  to be a client, we can cause a buffer overflow due \
to insecure calls to the strcpy (lstrcpyA)  functions inside of DWRCS.exe. This \
overflow is caused after the client finishes sending all  pre-authentication \
information. This includes local username, remote username, local NetBIOS  name, \
Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS \
name,  IP Address(s) of the client, and Version of the remote client. After this \
initial packet is sent,  the client sends the requested authentication type (in this \
case NTLMSSP.) If the username is  incorrect, the server will respond and then return \
from the vulnerable function.

Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with \
the current  Windows Service Pack level, as well as the Operating System Version in \
the second response packet. The OS  can be identified by 16th and 17th bytes of this \
packet.  This information can be used to find valid addresses for our op codes which \
we can change at will  depending on how the server responds. Next if we send all of \
the variables listed in the description  portion of this advisory, the server will \
respond whether or not authentication succeeded, or if  there was an error. 
During the process of reading in these variables, the server copies these values \
using strcpy.  Since no bounds checking is done, when the authentication fails (or \
possibly even succeeds), we  can overwrite the return address on the stack and have \
the process call our code. 

I would like to thank DameWare for taking this issue seriously and working quickly
and successfully in releasing a patch which eradicates this issue. Once again
this issue has been resolved in version 3.73 and later.



Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.

This advisory can also be found on my site:
http://sh0dan.org/files/dwmrcs372.txt

I have tested my code on 3.70 and 3.72 I presume other versions vulnerable.
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic