Autor
*******************************************
Citar
Product: DameWare Mini Remote Control <= 3.72.0.0
Vulnerability: Pre-Authentication Buffer Overflow
Severity: High Risk
Status: Vendor responded very quickly and has resolved the issue in 3.73 and later.
The new version can be downloaded from http://www.dameware.com/downloads.
Description:
A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
who can access the DameWare Mini Remote Control Server. By default (DameWare Remote Control
Server) DWRCS listens on port 6129 TCP. By constructing fake communication packets pretending
to be a client, we can cause a buffer overflow due to insecure calls to the strcpy (lstrcpyA)
functions inside of DWRCS.exe. This overflow is caused after the client finishes sending all
pre-authentication information. This includes local username, remote username, local NetBIOS
name, Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS name,
IP Address(s) of the client, and Version of the remote client. After this initial packet is
sent,
the client sends the requested authentication type (in this case NTLMSSP.) If the username is
incorrect, the server will respond and then return from the vulnerable function.
Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with the
current
Windows Service Pack level, as well as the Operating System Version in the second response
packet. The OS
can be identified by 16th and 17th bytes of this packet.
This information can be used to find valid addresses for our op codes which we can change at
will
depending on how the server responds. Next if we send all of the variables listed in the
description
portion of this advisory, the server will respond whether or not authentication succeeded, or
if
there was an error.
During the process of reading in these variables, the server copies these values using strcpy.
Since no bounds checking is done, when the authentication fails (or possibly even succeeds),
we
can overwrite the return address on the stack and have the process call our code.
I would like to thank DameWare for taking this issue seriously and working quickly
and successfully in releasing a patch which eradicates this issue. Once again
this issue has been resolved in version 3.73 and later.
Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.
This advisory can also be found on my site:
http://sh0dan.org/files/dwmrcs372.txt
I have tested my code on 3.70 and 3.72 I presume other versions vulnerable.
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
Vulnerability: Pre-Authentication Buffer Overflow
Severity: High Risk
Status: Vendor responded very quickly and has resolved the issue in 3.73 and later.
The new version can be downloaded from http://www.dameware.com/downloads.
Description:
A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
who can access the DameWare Mini Remote Control Server. By default (DameWare Remote Control
Server) DWRCS listens on port 6129 TCP. By constructing fake communication packets pretending
to be a client, we can cause a buffer overflow due to insecure calls to the strcpy (lstrcpyA)
functions inside of DWRCS.exe. This overflow is caused after the client finishes sending all
pre-authentication information. This includes local username, remote username, local NetBIOS
name, Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS name,
IP Address(s) of the client, and Version of the remote client. After this initial packet is
sent,
the client sends the requested authentication type (in this case NTLMSSP.) If the username is
incorrect, the server will respond and then return from the vulnerable function.
Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with the
current
Windows Service Pack level, as well as the Operating System Version in the second response
packet. The OS
can be identified by 16th and 17th bytes of this packet.
This information can be used to find valid addresses for our op codes which we can change at
will
depending on how the server responds. Next if we send all of the variables listed in the
description
portion of this advisory, the server will respond whether or not authentication succeeded, or
if
there was an error.
During the process of reading in these variables, the server copies these values using strcpy.
Since no bounds checking is done, when the authentication fails (or possibly even succeeds),
we
can overwrite the return address on the stack and have the process call our code.
I would like to thank DameWare for taking this issue seriously and working quickly
and successfully in releasing a patch which eradicates this issue. Once again
this issue has been resolved in version 3.73 and later.
Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.
This advisory can also be found on my site:
http://sh0dan.org/files/dwmrcs372.txt
I have tested my code on 3.70 and 3.72 I presume other versions vulnerable.
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
********************************************
EXPLOIT
http://www.security.nnov.ru/files/dmware.rar
Viene con algunos offsets, desde NT4 a Windows XP....
Salu2
En línea
