[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
From:       Jordi Corrales <jordi () shellsec ! net>
Date:       2005-04-15 13:00:48
Message-ID: 131283783.20050415150048 () shellsec ! net
[Download RAW message or body]

Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
         

- 1 - Introduction

DameWare NT Utilities is an enterprise system management application for Windows \
NT/2000/XP/2003 which provides an integrated collection of Microsoft Windows NT \
administration utilities incorporating a centralized interface for remote management \
of Windows NT/2000/XP/2003 Servers and Workstations

- 2 - Description -

Dameware NT Utilities and Mini Remote Control <= 4.9 have a vulnerability.

NT Utilities
-------------

When the process DNTUS26 located in the remote machine is dumped from memory to a \
file with PMDump can obtain the user and the password because both are stored in \
clear-text. Viewing the event id of windows can know the user connected then only \
opening the dump file and searching the user can obtain the password looking for any \
clear-text in the same line of the user.

All utilities (disk,event,groups,open files..cmd view..) are vulnerable but if \
execute CMD Console (not cmd view) and dump the process, searching the word "Console" \
can obtain the user,password,remote user and remote host name.

For example

Console:CrowDat:myplaintextpassword:Y:N:Kurobudetsu:TAMICA2000

Mini Remote Control
-------------------

When the process DWRCS (remote machine or server machine) is dumped from memory to a \
file with PMDump can obtain information of program settings,user name and \
authentication type but not the password.

When the process DWRCC (client machine or local machine) is dumped from memory to a \
file with PMDump can obtain all users,passwords,hostname/ip,alias and domain name \
stored for connect with alternate credentials, searching the word "sam computers" can \
find all.

To make easy find the user and password when i tested always find the user and \
password between a short range of lines. To open the txt files i used Notepad++ but \
with notepad or wordpad it's very slowly.

User&Password between lines..

41900-42000 in disk,event,groups,open-files,properties... (NT Utilities)
4550-4600 DWRCC (Mini Remote Control Client)
300-400 DWRCS (Mini Remote Control Server)


- 3 - How to fix it

If Dameware fix this bug download update to the new version

- 4 - Vendor Contact

08/04/2005 Notified to dameware

No response from vendor

- 5 - Credits -

Author: Jordi Corrales ( jordi[at]shellsec.net )
Editor: Fernando Ortega ( fernando[at]shellsec.net )
Date: 15/04/2005
Url: http://www.shellsec.net

Vendor: http://www.dameware.com
PMDump: http://ntsecurity.nu/toolbox/pmdump/
Notepad++: http://notepad-plus.sourceforge.net

English Advisory: http://www.shellsec.net/leer_advisory.php?id=7
Spanish Advisory: http://www.shellsec.net/leer_advisory.php?id=6


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic