[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: DameWare Mini Remote Control Server <= 3.72 Buffer Overflow
From: "wirepair" <wirepair () roguemail ! net>
Date: 2003-12-14 15:10:41
[Download RAW message or body]
Product: DameWare Mini Remote Control <= 3.72.0.0
Vulnerability: Pre-Authentication Buffer Overflow
Severity: High Risk
Status: Vendor responded very quickly and has resolved the issue in 3.73 and later.
The new version can be downloaded from http://www.dameware.com/downloads.
Description:
A buffer overflow vulnerability can be exploited remotely by an unauthenticated \
attacker who can access the DameWare Mini Remote Control Server. By default (DameWare \
Remote Control Server) DWRCS listens on port 6129 TCP. By constructing fake \
communication packets pretending to be a client, we can cause a buffer overflow due \
to insecure calls to the strcpy (lstrcpyA) functions inside of DWRCS.exe. This \
overflow is caused after the client finishes sending all pre-authentication \
information. This includes local username, remote username, local NetBIOS name, \
Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS \
name, IP Address(s) of the client, and Version of the remote client. After this \
initial packet is sent, the client sends the requested authentication type (in this \
case NTLMSSP.) If the username is incorrect, the server will respond and then return \
from the vulnerable function.
Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with \
the current Windows Service Pack level, as well as the Operating System Version in \
the second response packet. The OS can be identified by 16th and 17th bytes of this \
packet. This information can be used to find valid addresses for our op codes which \
we can change at will depending on how the server responds. Next if we send all of \
the variables listed in the description portion of this advisory, the server will \
respond whether or not authentication succeeded, or if there was an error.
During the process of reading in these variables, the server copies these values \
using strcpy. Since no bounds checking is done, when the authentication fails (or \
possibly even succeeds), we can overwrite the return address on the stack and have \
the process call our code.
I would like to thank DameWare for taking this issue seriously and working quickly
and successfully in releasing a patch which eradicates this issue. Once again
this issue has been resolved in version 3.73 and later.
Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.
This advisory can also be found on my site:
http://sh0dan.org/files/dwmrcs372.txt
I have tested my code on 3.70 and 3.72 I presume other versions vulnerable.
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic