| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Aug 31 20:55:45 2005
From: ad at class101.org (ad@...ss101.org)
Subject: Dameware critical hole
haven't notice any warning about this but someone posted that POC to my forum and is confirming that it works, this is urgent to update your dameware .....
/************************************************************************************************
* _ ______
* (_)___ ____ ____ / ____/
* / / __ \/ __ \/ __ \/___ \
* / / /_/ / / / / /_/ /___/ /
* __/ / .___/_/ /_/\____/_____/
* /___/_/======================
*************************************************************************************************
*
* DameWare Mini Remote Control Client Agent Service
* Another Pre-Authentication Buffer Overflow
* By Jackson Pollocks No5
* www.jpno5.com
*
*
* Summary
* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* DameWare Mini Remote Control is "A lightweight remote control intended primarily
* for administrators and help desks for quick and easy deployment without
* external dependencies and machine reboot.
*
* Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
* DameWare Mini Remote Control is capable of using the Windows challenge/response authentication
* and is able to be run as both an application and a service.
*
* Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings,
* Inactivity control, TCP only, Service Installation and Ping."
*
* A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
* who can access the DameWare Mini Remote Control Server.
*
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP.
* An attacker can construct a specialy crafted packet and exploit this vulnerability.
* The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
*
*
* Severity: Critical
*
* Impact: Code Execution
*
* Local: Yes
*
* Remote: Yes
*
* Patch: Download version 4.9.0 or later and install over your existing installation.
* You can download the latest version of your DameWare Development Product at
* http://www.dameware.com/download
*
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9
* of the Mini Remote Client Agent Service (dwrcs.exe).
*
* Discovery: i discovered this while using the dameware mini remote control client.
* i accidently pasted in a large string of text instead of my username.
* Clicking connect led to a remote crash of the application server.
*
* Credits: Can't really remember who's shellcode i used, more than likely it was
* written by Brett Moore.
*
* The egghunter was written by MMiller(skape). {Which kicks ass btw}
*
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm
* universal syscall down.
*
* Some creds to Adik as well, i did code my own exploit but it had none
* of that fancy shit like OS and SP detection. So basicly i just modded
* the payload from the old dameware exploit(ver 3.72).
*
* A little cred to me as well, after all i did put all them guys great
* work together to make something decent
*
************************************************************************************/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050831/b1b33a6c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 174 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050831/b1b33a6c/attachment-0001.gif
Powered by blists - more mailing lists