lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 15 Sep 2005 00:29:12 -0000
From: cocoruder@....com
To: bugtraq@...urityfocus.com
Subject: DriverStudio Remote Control Authentication Bypass Vulnerability


DriverStudio Remote Control Authentication Bypass Vulnerability

by cocoruder
page:http://ruder.cdut.net
email:cocoruder@....com && frankruder@...mail.com

Last Update:2005.09.10
class:design error
date:10/9/2005
Remote:yes
local:yes

Product Affected:
>=NuMega.DriverStudio.v2.7

I  test successfully on: 
NuMega.DriverStudio.v2.7(windows 2000 sp4|windows xp sp1)
NuMega.DriverStudio.v3.0beta2(windows 2000 sp4|windows xp sp1)

Vendor:
www.compuware.com

Overview:
SoftICE Driver Suite is an most popular kenerl-debug software suite,the default-setup "DriverStudio Remote Contro" service(process name:DSRsvc.exe) allow a user to configure Softice on the remote computer,authenticate with currently-login username and password. but the authentication can be bypassed,that any remote attacker can modifit  local Softice-setting file(winice.dat).

Details:
the remote-control communications use DEC RPC protocol,authenticate with NTLMv1,if we authenticate with NULL Session Login(NULL user name,NULL NTLM hash),we can also authenticate successfully.that we can modifit "winice.dat".disable the windows NULL Session Login will not be effective.
another vulnerability is erveryone send follow buffer to the UDP port 9110 can make the system reboot. 
02 00 00 00 41 41 41 00		;00000002 --->reboot command
colligate the two vulnerability can get system privilege.

exploit:
1.modifit winice.dat(use modifit_config.cpp to send winice_attack.dat to target)
2.modifit softice boot-type to:Automatic
3.send the reboot buffer to target UDP 9110,and waiting target computer reboot(use send_reboot.cpp)
4.send shellcode buffer to UDP 9110(use send_shellcode.cpp)

all the code will not be published until the vendor release the patch:)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ