SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  DameWare Vendors:  DameWare Development LLC
DameWare Discloses Passwords to Local Users
SecurityTracker Alert ID:  1013725
SecurityTracker URL:  http://securitytracker.com/id?1013725
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 15 2005
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 4.9 and prior versions
Description:  Jordi Corrales reported a vulnerability in DameWare NT Utilities and MiniRemote Control. A local user can obtain passwords.

A local user with access to 'DNTUS26' process memory can obtain the username and password. All of the DameWare NT Utilities are affected.

A local user with access to the DameWare MiniRemote Control 'DWRCS' process memory can obtain the applicable username and configuration settings. The 'DWRCC' process is also affected, but can be used to also obtain passwords.

The vendor was notified on April 8, 2005, without response.
Impact:  A local user with access to DameWare process memory can obtain passwords and configuration data.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.dameware.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)
Reported By:  Jordi Corrales <jordi@shellsec.net>
Message History:   None.

 Source Message Contents
Date:  Fri, 15 Apr 2005 15:06:43 +0200
From:  Jordi Corrales <jordi@shellsec.net>
Subject:  Dameware NT Utilities and MiniRemote Control &lt;= 4.9 vulnerability

 
 
Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
         
 
- 1 - Introduction
 
DameWare NT Utilities is an enterprise system management application for Windows 
NT/2000/XP/2003 which provides an integrated collection of Microsoft Windows NT 
administration utilities incorporating a centralized interface for remote management 
of Windows NT/2000/XP/2003 Servers and Workstations
 
- 2 - Description -
 
Dameware NT Utilities and Mini Remote Control <= 4.9 have a vulnerability.
 
NT Utilities
-------------
 
When the process DNTUS26 located in the remote machine is dumped from memory to a 
file with PMDump can obtain the user and the password because both are stored in 
clear-text.
Viewing the event id of windows can know the user connected then only opening the 
dump file and searching the user can obtain the password looking for any clear-text 
in the same line of the user.
 
All utilities (disk,event,groups,open files..cmd view..) are vulnerable but if 
execute CMD Console (not cmd view) and dump the process, searching the word "Console" 
can obtain the user,password,remote user and remote host name.
 
For example
 
Console:CrowDat:myplaintextpassword:Y:N:Kurobudetsu:TAMICA2000
 
Mini Remote Control
-------------------
 
When the process DWRCS (remote machine or server machine) is dumped from memory to a 
file with PMDump can obtain information of program settings,user name and 
authentication type but not the password.
 
When the process DWRCC (client machine or local machine) is dumped from memory to a 
file with PMDump can obtain all
users,passwords,hostname/ip,alias and domain name stored for connect with alternate 
credentials, searching the word "sam computers" can find all.
 
To make easy find the user and password when i tested always find the user and 
password between a short range of lines. To open the txt files i used Notepad++ but 
with notepad or wordpad it's very slowly.
 
User&Password between lines..
 
41900-42000 in disk,event,groups,open-files,properties... (NT Utilities)
4550-4600 DWRCC (Mini Remote Control Client)
300-400 DWRCS (Mini Remote Control Server)
 
 
- 3 - How to fix it
 
If Dameware fix this bug download update to the new version
 
- 4 - Vendor Contact
 
08/04/2005 Notified to dameware
 
No response from vendor
 
- 5 - Credits -
 
Author: Jordi Corrales ( jordi[at]shellsec.net )
Editor: Fernando Ortega ( fernando[at]shellsec.net )
Date: 15/04/2005
Url: http://www.shellsec.net
 
Vendor: http://www.dameware.com
PMDump: http://ntsecurity.nu/toolbox/pmdump/
Notepad++: http://notepad-plus.sourceforge.net
 
English Advisory: http://www.shellsec.net/leer_advisory.php?id=7
Spanish Advisory: http://www.shellsec.net/leer_advisory.php?id=6


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC