Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DameWare Mini Remote Control Buffer Overflow in 'username' Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014830
|
|
SecurityTracker URL: http://securitytracker.com/id?1014830
|
|
CVE Reference: CVE-2005-2842
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 31 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 4.x, prior to 4.9.0
|
Description: A vulnerability was reported in DameWare Mini Remote Control. A remote user can execute arbitrary code on the target system.
A remote user can supply a specially crafted username value to trigger a buffer overflow in 'dwrcs.exe' and execute arbitrary code.
Jackson Pollocks No5 discovered this vulnerability.
|
Impact: A remote user can execute arbitrary code on the target system.
|
Solution: The report indicates that a fixed version (4.9.0 or later) is available at:
http://www.dameware.com/download
|
Vendor URL: www.dameware.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
Reported By: <ad@class101.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 31 Aug 2005 21:54:20 +0100
From: <ad@class101.org>
Subject: [Full-disclosure] Dameware critical hole
|
This is a multi-part message in MIME format.
--===============0158625292==
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0003_01C5AE76.8A5C83E0"
This is a multi-part message in MIME format.
------=_NextPart_000_0003_01C5AE76.8A5C83E0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0004_01C5AE76.8A5C83E0"
------=_NextPart_001_0004_01C5AE76.8A5C83E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
haven't notice any warning about this but someone posted that POC to my =
forum and is confirming that it works, this is urgent to update your =
dameware .....
/************************************************************************=
************************=20
* _ ______=20
* (_)___ ____ ____ / ____/=20
* / / __ \/ __ \/ __ \/___ \=20
* / / /_/ / / / / /_/ /___/ /=20
* __/ / .___/_/ /_/\____/_____/=20
* =
/___/_/=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=20
*************************************************************************=
************************=20
*=20
* DameWare Mini Remote Control Client Agent Service=20
* Another Pre-Authentication Buffer Overflow=20
* By Jackson Pollocks No5=20
* www.jpno5.com=20
*=20
*=20
* Summary=20
* =
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
++++++++++++++++=20
* DameWare Mini Remote Control is "A lightweight remote control intended =
primarily=20
* for administrators and help desks for quick and easy deployment =
without=20
* external dependencies and machine reboot.=20
*=20
* Developed specifically for the 32-bit Windows environment (Windows =
95/98/Me/NT/2000/XP),=20
* DameWare Mini Remote Control is capable of using the Windows =
challenge/response authentication=20
* and is able to be run as both an application and a service.=20
*=20
* Some additional features include View Only, Cursor control, Remote =
Clipboard, Performance Settings,=20
* Inactivity control, TCP only, Service Installation and Ping."=20
*=20
* A buffer overflow vulnerability can be exploited remotely by an =
unauthenticated attacker=20
* who can access the DameWare Mini Remote Control Server.=20
*=20
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 =
TCP.=20
* An attacker can construct a specialy crafted packet and exploit this =
vulnerability.=20
* The vulnerability is caused by insecure calls to the lstrcpyA function =
when checking the username.=20
*=20
*=20
* Severity: Critical=20
*=20
* Impact: Code Execution=20
*=20
* Local: Yes=20
*=20
* Remote: Yes=20
*=20
* Patch: Download version 4.9.0 or later and install over your existing =
installation.=20
* You can download the latest version of your DameWare Development =
Product at=20
* http://www.dameware.com/download=20
*=20
* Details: Affected versions will be any ver in above 4.0 and prior to =
4.9=20
* of the Mini Remote Client Agent Service (dwrcs.exe).=20
*=20
* Discovery: i discovered this while using the dameware mini remote =
control client.=20
* i accidently pasted in a large string of text instead of my username.=20
* Clicking connect led to a remote crash of the application server.=20
*=20
* Credits: Can't really remember who's shellcode i used, more than =
likely it was=20
* written by Brett Moore.=20
*=20
* The egghunter was written by MMiller(skape). {Which kicks ass btw}=20
*=20
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm=20
* universal syscall down.=20
*=20
* Some creds to Adik as well, i did code my own exploit but it had none=20
* of that fancy shit like OS and SP detection. So basicly i just modded=20
* the payload from the old dameware exploit(ver 3.72).=20
*=20
* A little cred to me as well, after all i did put all them guys great=20
* work together to make something decent =20
*=20
*************************************************************************=
***********/=20
------=_NextPart_001_0004_01C5AE76.8A5C83E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>haven't notice any warning about this =
but someone=20
posted that POC to my forum and is confirming that it works, this =
is=20
urgent to update your dameware .....</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>/*******************************************************************=
*****************************=20
<BR>* _ ______ <BR>* (_)___ ____ ____ / ____/ <BR>* / / __ \/ __ \/ __ =
\/___ \=20
<BR>* / / /_/ / / / / /_/ /___/ / <BR>* __/ / .___/_/ /_/\____/_____/ =
<BR>*=20
/___/_/=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=20
<BR>*********************************************************************=
****************************=20
<BR>* <BR>* DameWare Mini Remote Control Client Agent Service <BR>* =
Another=20
Pre-Authentication Buffer Overflow <BR>* By Jackson Pollocks No5 <BR>* =
<A=20
href=3D"http://www.jpno5.com/" target=3D_blank>www.jpno5.com</A> <BR>* =
<BR>* <BR>*=20
Summary <BR>*=20
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
++++++++++++++++=20
<BR>* DameWare Mini Remote Control is "A lightweight remote control =
intended=20
primarily <BR>* for administrators and help desks for quick and easy =
deployment=20
without <BR>* external dependencies and machine reboot. <BR>* <BR>* =
Developed=20
specifically for the 32-bit Windows environment (Windows =
95/98/Me/NT/2000/XP),=20
<BR>* DameWare Mini Remote Control is capable of using the Windows=20
challenge/response authentication <BR>* and is able to be run as both an =
application and a service. <BR>* <BR>* Some additional features include =
View=20
Only, Cursor control, Remote Clipboard, Performance Settings, <BR>* =
Inactivity=20
control, TCP only, Service Installation and Ping." <BR>* <BR>* A buffer =
overflow=20
vulnerability can be exploited remotely by an unauthenticated attacker =
<BR>* who=20
can access the DameWare Mini Remote Control Server. <BR>* <BR>* By =
default=20
(DameWare Remote Control Server) DWRCS listens on port 6129 TCP. <BR>* =
An=20
attacker can construct a specialy crafted packet and exploit this =
vulnerability.=20
<BR>* The vulnerability is caused by insecure calls to the lstrcpyA =
function=20
when checking the username. <BR>* <BR>* <BR>* Severity: Critical <BR>* =
<BR>*=20
Impact: Code Execution <BR>* <BR>* Local: Yes <BR>* <BR>* Remote: Yes =
<BR>*=20
<BR>* Patch: Download version 4.9.0 or later and install over your =
existing=20
installation. <BR>* You can download the latest version of your DameWare =
Development Product at <BR>* http://www.dameware.com/download <BR>* =
<BR>*=20
Details: Affected versions will be any ver in above 4.0 and prior to 4.9 =
<BR>*=20
of the Mini Remote Client Agent Service (dwrcs.exe). <BR>* <BR>* =
Discovery: i=20
discovered this while using the dameware mini remote control client. =
<BR>* i=20
accidently pasted in a large string of text instead of my username. =
<BR>*=20
Clicking connect led to a remote crash of the application server. <BR>* =
<BR>*=20
Credits: Can't really remember who's shellcode i used, more than likely =
it was=20
<BR>* written by Brett Moore. <BR>* <BR>* The egghunter was written by=20
MMiller(skape). {Which kicks ass btw} <BR>* <BR>* Thanks to spoonm for =
tracking=20
that NtAccessCheckAndAuditAlarm <BR>* universal syscall down. <BR>* =
<BR>* Some=20
creds to Adik as well, i did code my own exploit but it had none <BR>* =
of that=20
fancy shit like OS and SP detection. So basicly i just modded <BR>* the =
payload=20
from the old dameware exploit(ver 3.72). <BR>* <BR>* A little cred to me =
as=20
well, after all i did put all them guys great <BR>* work together to =
make=20
something decent <IMG alt=3DSmile=20
src=3D"http://class101.org/images/smiles/icon_smile.gif" border=3D0> =
<BR>*=20
<BR>*********************************************************************=
***************/=20
<BR></DIV></BODY></HTML>
------=_NextPart_001_0004_01C5AE76.8A5C83E0--
------=_NextPart_000_0003_01C5AE76.8A5C83E0
Content-Type: image/gif;
name="icon_smile.gif"
Content-Transfer-Encoding: base64
Content-Location: http://class101.org/images/smiles/icon_smile.gif
R0lGODlhDwAPALMOAP/qAEVFRQAAAP/OAP/JAP+0AP6dAP/+k//9E///////xzMzM///6//lAAAA
AAAAACH5BAEAAA4ALAAAAAAPAA8AAARb0EkZap3YVabOGRcWcAgCnIMRTEEnCCfwpqt2mHEOagoO
nz+CKnADxoKFyiHHBBCSAdOiCVg8KwPZa7sVrgJZQWI8FhB2msGgwTXTWGqCXP4WBQr4wjDDstQm
EQA7
------=_NextPart_000_0003_01C5AE76.8A5C83E0--
--===============0158625292==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0158625292==--
|
|
Go to the Top of This SecurityTracker Archive Page
|
