| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: vuln at hexview.com (vuln@...view.com) Subject: [HV-MED] DoS in Microsoft SMS Client -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denial of Service (DoS) in Microsoft SMS Client Classification: =============== Level: low-[MED]-high-crit ID: HEXVIEW*2004*07*14*1 Overview: ========= Microsoft Systems Management Server provides configuration management solution for Windows platform. It is widely deployed in medium and large network environments. A flaw in SMS Remote Control service makes possible to crash the service remotely leading to the DoS condition. Affected products: ================== All tests were performed on a client part of Microsoft Systems Management Server version 2.50.2726.0. Cause and Effect: ================= SMS Remote Control Client service is listening on TCP ports 2701 and 2702. The service performs basic signature checks and size tests on received data and assumes the data is correct if those tests pass. It is possible to create a data packet that will go through basic checks and throw an exception by causing the server to read or write to an invalid memory address. It is also possible to specify the memory address value in the data packet. Initial analysis showed that the problem is not [easily] exploitable because there is no buffer overflow condition and it is not possible to specify the data to be written to the memory. The exception occurs in multprot.dll library when the service makes an API call with invalid parameters. Demonstration: ============== The problem can be reproduced by sending the "RCH0####RCHE" string followed by a large number of characters (over 130) to TCP port 2702. Vendor Status: ============== At the time of release vendor was not aware of the vulnerability. HexView does not notify vendors unless there is a prior agreement to do so. Vendors interested in receiving notifications prior to public disclosure or more detailed analysis may obtain more information by writing to the e-mail address provided at the end of the document. About HexView: ============== HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. The chances are you read our advisories or disclosures. For the sake of readability and easy web indexing we recently decided to use the HexView alias to publish all the information. Distribution: ============= This document may be freely distributed through any channels as long as the contents are kept unmodified. Commercial use of the information in the document is not allowed without written permission from HexView signed by our pgp key. Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk@...view.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA9X2KDPV1+KQrDqQRAp/UAJ9NfG+WEUFviKTe5cH3Tx07PLkmTACfTujL ts+oqYjC+gSL04mD/0qvQV4= =mUX1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists