lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <web-23694505@gator.darkhorse.com>
Date: Sun, 14 Dec 2003 07:10:41 -0800
From: "wirepair" <wirepair@...uemail.net>
To: bugtraq@...urityfocus.com
Subject: DameWare Mini Remote Control Server <= 3.72 Buffer Overflow


Product: DameWare Mini Remote Control <= 3.72.0.0
Vulnerability: Pre-Authentication Buffer Overflow
Severity: High Risk
Status: Vendor responded very quickly and has resolved the issue in 3.73 and later. 
The new version can be downloaded from http://www.dameware.com/downloads.

Description:
A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
who can access the DameWare Mini Remote Control Server. By default (DameWare Remote Control 
Server) DWRCS listens on port 6129 TCP. By constructing fake communication packets pretending 
to be a client, we can cause a buffer overflow due to insecure calls to the strcpy (lstrcpyA) 
functions inside of DWRCS.exe. This overflow is caused after the client finishes sending all 
pre-authentication information. This includes local username, remote username, local NetBIOS 
name, Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS name, 
IP Address(s) of the client, and Version of the remote client. After this initial packet is sent, 
the client sends the requested authentication type (in this case NTLMSSP.) If the username is 
incorrect, the server will respond and then return from the vulnerable function.

Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with the current 
Windows Service Pack level, as well as the Operating System Version in the second response packet. The OS 
can be identified by 16th and 17th bytes of this packet. 
This information can be used to find valid addresses for our op codes which we can change at will 
depending on how the server responds. Next if we send all of the variables listed in the description 
portion of this advisory, the server will respond whether or not authentication succeeded, or if 
there was an error. 
During the process of reading in these variables, the server copies these values using strcpy. 
Since no bounds checking is done, when the authentication fails (or possibly even succeeds), we 
can overwrite the return address on the stack and have the process call our code. 

I would like to thank DameWare for taking this issue seriously and working quickly
and successfully in releasing a patch which eradicates this issue. Once again
this issue has been resolved in version 3.73 and later.



Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.

This advisory can also be found on my site:
http://sh0dan.org/files/dwmrcs372.txt

I have tested my code on 3.70 and 3.72 I presume other versions vulnerable.
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ