lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <000701c5ae6e$2969ead0$0400a8c0@0090F53F93E8>
Date: Wed Aug 31 20:55:45 2005
From: ad at class101.org (ad@...ss101.org)
Subject: Dameware critical hole

haven't notice any warning about this but someone posted that POC  to my forum and is confirming that it works, this is urgent to update your dameware .....

/************************************************************************************************ 
* _ ______ 
* (_)___ ____ ____ / ____/ 
* / / __ \/ __ \/ __ \/___ \ 
* / / /_/ / / / / /_/ /___/ / 
* __/ / .___/_/ /_/\____/_____/ 
* /___/_/====================== 
************************************************************************************************* 
* 
* DameWare Mini Remote Control Client Agent Service 
* Another Pre-Authentication Buffer Overflow 
* By Jackson Pollocks No5 
* www.jpno5.com 
* 
* 
* Summary 
* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
* DameWare Mini Remote Control is "A lightweight remote control intended primarily 
* for administrators and help desks for quick and easy deployment without 
* external dependencies and machine reboot. 
* 
* Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP), 
* DameWare Mini Remote Control is capable of using the Windows challenge/response authentication 
* and is able to be run as both an application and a service. 
* 
* Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings, 
* Inactivity control, TCP only, Service Installation and Ping." 
* 
* A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker 
* who can access the DameWare Mini Remote Control Server. 
* 
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. 
* An attacker can construct a specialy crafted packet and exploit this vulnerability. 
* The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username. 
* 
* 
* Severity: Critical 
* 
* Impact: Code Execution 
* 
* Local: Yes 
* 
* Remote: Yes 
* 
* Patch: Download version 4.9.0 or later and install over your existing installation. 
* You can download the latest version of your DameWare Development Product at 
* http://www.dameware.com/download 
* 
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9 
* of the Mini Remote Client Agent Service (dwrcs.exe). 
* 
* Discovery: i discovered this while using the dameware mini remote control client. 
* i accidently pasted in a large string of text instead of my username. 
* Clicking connect led to a remote crash of the application server. 
* 
* Credits: Can't really remember who's shellcode i used, more than likely it was 
* written by Brett Moore. 
* 
* The egghunter was written by MMiller(skape). {Which kicks ass btw} 
* 
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm 
* universal syscall down. 
* 
* Some creds to Adik as well, i did code my own exploit but it had none 
* of that fancy shit like OS and SP detection. So basicly i just modded 
* the payload from the old dameware exploit(ver 3.72). 
* 
* A little cred to me as well, after all i did put all them guys great 
* work together to make something decent  
* 
************************************************************************************/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050831/b1b33a6c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 174 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050831/b1b33a6c/attachment-0001.gif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ