| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 08 Jan 2011 18:33:07 +0100
From: Luca Carettoni <luca.carettoni@...isoft.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: NetSupport Manager Agent Remote Buffer Overflow
(Linux, Solaris, Mac, ...)
=======================================================================
NetSupport Manager Agent Remote Buffer Overflow (Linux,Solaris,Mac,...)
=======================================================================
Affected Software : NetSupport Manager Agent (see below for details)
Severity : High
Local/Remote : Remote
Author : @_ikki
[Summary]
NetSupport Manager is a multi-platform remote PC support and desktop
management system. It is used in many corporations as a replacement for
standard remote desktop applications (e.g. Windows terminal service). In
a basic configuration setup, two main software components have to be
installed: a controller and a client (also referred as 'agent'). The
former is used to remotely control workstations, whereas the latter
should be present in all workstations that are to be taken over. Agents
for different platforms exist, including Microsoft Windows, Linux, Apple
Mac, Solaris, and even portable devices based on PocketPC or Windows CE.
A stack-based buffer overflow has been discovered.
No authentication is required in order to exploit this issue.
[Vulnerability Details]
The application fails to validate user supplied data before copying it
into a limited buffer. As a result, it is possible to exploit this flaw
to execute arbitrary code within the context of the affected application
or cause Denial of Service. In detail, during the NetSupport’s binary
protocol handshake, the control component announces itself to the agent.
In the first packet, a field containing the control hostname is used
without boundary checks. Successful exploitation against Linux/Unix and
Mac platforms results in full access with root privileges.
As for my research, the following software are affected:
{Vulnerable}
NetSupport Manager for Linux v11.00, NetSupport Manager for Solaris
v9.50, NetSupport Manager for Mac OS X v11.00 and likely all previous
releases for these platforms
{Not Vulnerable}
Netsupport Manager for Windows v11.00
{Unknown}
Netsupport Manager for Windows CE v11.00, Netsupport Manager for Pocket
PC v11.00, NetSupport Manager for DOS v7.01 and other products based
on the same codebase (e.g. NetSupport School)
[Proof-Of-Concept]
A reliable standalone exploit for the NetSupport Manager Linux (releases
v11.0.0 and v10.50.0) has been developed:
http://www.ikkisoft.com/stuff/netsupport_linux.txt
If you have spare time, please consider to port this exploit in
Metasploit :)
[Fix Information]
As far as I know, this vulnerability is still unpatched.
In the meantime, users can either disable the service or allow access
from a specific IP only.
Back in 2007, folks at Digital Defense, Inc. have published a similar
vulnerability (the same?) in the Windows agent. A few days later, the
vendor patched the flaw without providing any acknowledge. As no
technical details are available, I cannot confirm that it is exactly the
same flaw.
Cheers,
@_ikki
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists