| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <008a01c3ccbe$aef043e0$329f8018@youru10ixi0anw>
Date: Sat, 27 Dec 2003 13:16:23 -0800
From: "Tri Huynh" <trihuynh@...up.com>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Cc: <bugs@...uritytracker.com>, <news@...uriteam.com>, <vuln@...unia.com>
Subject: Landesk Management Suite IRCRBOOT.DLL buffer overflow
Landesk Management Suite IRCRBOOT.DLL buffer overflow
=================================================
PROGRAM: Landesk Management Suite
HOMEPAGE: http://www.landesk.com
VULNERABLE VERSIONS: 8.0 (untested, but highly possible vulnerable)
7.0 and below (tested)
DESCRIPTION
=================================================
Landesk Management Suite is the flagship of LANDesk family of
systems management products in managing medium-to-large networks.
LANDeskĀ® Management Suite enables IT professionals to automate systems
management tasks and proactively control desktops, servers and mobile
devices - all from a single console.
DETAILS
=================================================
Continuing our goal on cleaning dangerous ActiveX/COM components in
popular products, we have developed a Fuzzing Tool for ActiveX/COM
called "XKnight" (Not XXX, you perverts ! 8-) . XKnight works by fuzzing
the interface of the component to hunt for low-hanging fruits. And
fortunately, there are so many low-hanging fruits out there !!!
IRCRBOOT.DLL is an ActiveX/COM component that comes with
Landesk Management Suite. YAUTO.DLL is registered under a CLSID named
"DACBF5A1-33C5-11D3-A97E-00C04F72C145". In this component,
function SetClientAddress(bszAddr as String) is vulnerable to a
bufferoverflow attack when argument bszAddr is passed with a long string.
Since this is an ActiveX component, the vulnerability can
be exploited just by making a website with the correct CLSID of
the ActiveX and calling the function directly.
WORKAROUND
=================================================
Waiting and apply the patch from vendor and/or remove the file
temporary. Vendor is contacted (privacy@...desk.com) more than
3 weeks and they don't give a damn ! By the way, they don't put
an email on their website for contacting regarding about security problems.
CREDITS
=================================================
Discovered by Tri Huynh from SentryUnion
DISLAIMER
=================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
FEEDBACK
=================================================
Please send suggestions, updates, and comments to: trihuynh@...up.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists