lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201603171630.u2HGU12G008889@sf01web2.securityfocus.com>
Date: Thu, 17 Mar 2016 16:30:01 GMT
From: contact@...urifera.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2016-2345] Solarwinds Dameware Mini Remote Control Remote
 Code Execution Vulnerability

Document Title:
===============
Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability

References (Source):
====================
http://www.kb.cert.org/vuls/id/897144
https://www.securifera.com/advisories/cve-2016-2345
http://www.dameware.com/products/mini-remote-control/product-overview.aspx

Release Date:
=============
2016-03-17

Product & Service Introduction:
===============================
Solarwinds Dameware Mini Remote Control allows for the remote administration of client systems of various operating system and architecture. 

Vulnerability Information:
==============================
Class: CWE-121: Stack-based Buffer Overflow
Impact: Remote Code Execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-2345

Vulnerability Description:
==============================
A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw.  As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.

Vulnerability Disclosure Timeline:
==================================
2015-12-17: Contact Solarwinds and Request Security Contact Info From Support Team
2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info Request
2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact with Security Team Again
2016-12-31: Vendor Replies That “Details” Were Forwarded To Developers Although None Have Been Requested Or Given Yet
2016-01-08: Follow-up with Vendor; Send POC for Developers
2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers
2016-01-20: Enlist US-CERT Assistance with Vendor
2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor
2016-02-04: Follow-Up with Vendor to Receive Patch
2016-02-04: Vendors Sends Patch
2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again
2016-02-04: Vendors Forwards to Developers
2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security Team Independantly
2016-03-03: Follow-up With Vendor
2016-03-03: Vendor Requests Remote Access to Our System
2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For Vulnerability & Notify Of Impending 90 Disclosure Date
2016-03-08: Vendor Forwards to Developers
2016-03-17: Coordinated Public Disclosure with US-CERT


Affected Product(s):
====================
Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been verified )

Severity Level:
===============
High

Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.

Solution - Fix & Patch:
=======================
There is currently no patch. Please block remote access to port 6129 at a minimum.

Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0)

Credits & Authors:
==================
Securifera, Inc - b0yd

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems.

Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social:	twitter.com/securifera

Copyright © 2016 | Securifera, Inc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ