lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030813084641.GA2272@felinemenace.org>
Date: Wed, 13 Aug 2003 01:46:41 -0700
From: ash@...inemenace.org
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: DameWare Mini-RC Shatter

Program: DameWare Mini Remote Control Server
Version: Prior to 3.71.0.0
Impact: Users can escalate to SYSTEM
Discovered: ash
Writeup and exploits: ash

1) Background

   From DameWare Development web site:
   A lightweight remote control intended primarily for administrators
   and help desks for quick and easy deployment without external
   dependencies and machine reboot. Developed specifically for the 32 bit
   Windows environment (Windows 95/98/Me/NT/2000/XP), DameWare Mini Remote
   Control is capable of using the Windows challenge/response authentication
   and is able to be run both as an application and a service.
   Some additional features include View Only,Cursor control, Remote
   Clipboard, Performance Settings, Inactivity control, TCP only,
   Service Installation and Ping.

2) Description

   DameWare Mini Remote Control Server runs on the users desktop as SYSTEM.
   This is vulnerable to a shatter style attack.
   See below for a fix that resolves all currently known issues.

3) Notes

   As a guest user exploitation results in

   F:\Program Files\Resource Kit>WHOAMI.EXE
   NT AUTHORITY\SYSTEM

   This type of vulnerability requires some access to a desktop
   with DameWare server running.

   This is a local privalege escalation vulnerability.

   Proof of concept code to exploit this vulnerability is attached.

4) Detection

   Check your process list for DWRCS.exe running as SYSTEM
   Check the version.

5) Vendor status/notes/fixes/statements

   Dameware Development has repaired all current known vulnerabilities.

   Dameware Development will continue researching and developing alternate
   development methods to ensure their software remains secure.

   A fix is available from Dameware Development by downloading version
   3.71.0.0 or later from their website.[1]


References:

http://www.dameware.com/download


View attachment "fm-shatterdame.c" of type "text/plain" (3808 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ