lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008a01c3ccbe$aef043e0$329f8018@youru10ixi0anw>
From: trihuynh at zeeup.com (Tri Huynh)
Subject: Landesk Management Suite IRCRBOOT.DLL buffer overflow

Landesk Management Suite IRCRBOOT.DLL buffer overflow
 =================================================

 PROGRAM: Landesk Management Suite
HOMEPAGE: http://www.landesk.com
VULNERABLE VERSIONS: 8.0 (untested, but highly possible vulnerable)
                                               7.0 and below (tested)


 DESCRIPTION
 =================================================

 Landesk Management Suite is the flagship of LANDesk family of
 systems  management products in managing medium-to-large networks.
LANDesk? Management Suite enables IT professionals to automate systems
management tasks and proactively control desktops, servers and mobile
devices - all from a single console.


 DETAILS
 =================================================

Continuing our goal on cleaning dangerous ActiveX/COM components in
popular products, we have developed a Fuzzing Tool for ActiveX/COM
called "XKnight" (Not XXX, you perverts ! 8-) . XKnight works by fuzzing
the interface of the component to hunt for low-hanging fruits. And
fortunately, there are so many low-hanging fruits out there !!!

 IRCRBOOT.DLL  is an ActiveX/COM component that comes with
 Landesk Management Suite. YAUTO.DLL is registered under a CLSID named
 "DACBF5A1-33C5-11D3-A97E-00C04F72C145". In this component,
 function SetClientAddress(bszAddr as String) is vulnerable to a
 bufferoverflow  attack when argument bszAddr is passed with a long string.
 Since this is an ActiveX component, the vulnerability can
 be exploited just by making a website with the correct CLSID of
 the ActiveX and calling the function directly.


 WORKAROUND
 =================================================

 Waiting and apply the patch from vendor and/or remove the file
 temporary. Vendor is contacted (privacy@...desk.com) more than
3 weeks and they don't give a damn ! By the way, they don't put
an email on their website for contacting regarding about security problems.



 CREDITS
 =================================================

 Discovered by Tri Huynh from SentryUnion


 DISLAIMER
 =================================================

 The information within this paper may change without notice. Use of
 this information constitutes acceptance for use in an AS IS condition.
 There are NO warranties with regard to this information. In no event
 shall the author be liable for any damages whatsoever arising out of
 or in connection with the use or spread of this information. Any use
 of this information is at the user's own risk.


 FEEDBACK
 =================================================

 Please send suggestions, updates, and comments to: trihuynh@...up.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ