[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
From: Jordi Corrales <jordi () shellsec ! net>
Date: 2005-04-15 13:00:48
Message-ID: 131283783.20050415150048 () shellsec ! net
[Download RAW message or body]
Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
- 1 - Introduction
DameWare NT Utilities is an enterprise system management application for Windows \
NT/2000/XP/2003 which provides an integrated collection of Microsoft Windows NT \
administration utilities incorporating a centralized interface for remote management \
of Windows NT/2000/XP/2003 Servers and Workstations
- 2 - Description -
Dameware NT Utilities and Mini Remote Control <= 4.9 have a vulnerability.
NT Utilities
-------------
When the process DNTUS26 located in the remote machine is dumped from memory to a \
file with PMDump can obtain the user and the password because both are stored in \
clear-text. Viewing the event id of windows can know the user connected then only \
opening the dump file and searching the user can obtain the password looking for any \
clear-text in the same line of the user.
All utilities (disk,event,groups,open files..cmd view..) are vulnerable but if \
execute CMD Console (not cmd view) and dump the process, searching the word "Console" \
can obtain the user,password,remote user and remote host name.
For example
Console:CrowDat:myplaintextpassword:Y:N:Kurobudetsu:TAMICA2000
Mini Remote Control
-------------------
When the process DWRCS (remote machine or server machine) is dumped from memory to a \
file with PMDump can obtain information of program settings,user name and \
authentication type but not the password.
When the process DWRCC (client machine or local machine) is dumped from memory to a \
file with PMDump can obtain all users,passwords,hostname/ip,alias and domain name \
stored for connect with alternate credentials, searching the word "sam computers" can \
find all.
To make easy find the user and password when i tested always find the user and \
password between a short range of lines. To open the txt files i used Notepad++ but \
with notepad or wordpad it's very slowly.
User&Password between lines..
41900-42000 in disk,event,groups,open-files,properties... (NT Utilities)
4550-4600 DWRCC (Mini Remote Control Client)
300-400 DWRCS (Mini Remote Control Server)
- 3 - How to fix it
If Dameware fix this bug download update to the new version
- 4 - Vendor Contact
08/04/2005 Notified to dameware
No response from vendor
- 5 - Credits -
Author: Jordi Corrales ( jordi[at]shellsec.net )
Editor: Fernando Ortega ( fernando[at]shellsec.net )
Date: 15/04/2005
Url: http://www.shellsec.net
Vendor: http://www.dameware.com
PMDump: http://ntsecurity.nu/toolbox/pmdump/
Notepad++: http://notepad-plus.sourceforge.net
English Advisory: http://www.shellsec.net/leer_advisory.php?id=7
Spanish Advisory: http://www.shellsec.net/leer_advisory.php?id=6
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic