lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1294507987.2901.49.camel@muller> Date: Sat, 08 Jan 2011 18:33:07 +0100 From: Luca Carettoni <luca.carettoni@...isoft.com> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: NetSupport Manager Agent Remote Buffer Overflow (Linux, Solaris, Mac, ...) ======================================================================= NetSupport Manager Agent Remote Buffer Overflow (Linux,Solaris,Mac,...) ======================================================================= Affected Software : NetSupport Manager Agent (see below for details) Severity : High Local/Remote : Remote Author : @_ikki [Summary] NetSupport Manager is a multi-platform remote PC support and desktop management system. It is used in many corporations as a replacement for standard remote desktop applications (e.g. Windows terminal service). In a basic configuration setup, two main software components have to be installed: a controller and a client (also referred as 'agent'). The former is used to remotely control workstations, whereas the latter should be present in all workstations that are to be taken over. Agents for different platforms exist, including Microsoft Windows, Linux, Apple Mac, Solaris, and even portable devices based on PocketPC or Windows CE. A stack-based buffer overflow has been discovered. No authentication is required in order to exploit this issue. [Vulnerability Details] The application fails to validate user supplied data before copying it into a limited buffer. As a result, it is possible to exploit this flaw to execute arbitrary code within the context of the affected application or cause Denial of Service. In detail, during the NetSupport’s binary protocol handshake, the control component announces itself to the agent. In the first packet, a field containing the control hostname is used without boundary checks. Successful exploitation against Linux/Unix and Mac platforms results in full access with root privileges. As for my research, the following software are affected: {Vulnerable} NetSupport Manager for Linux v11.00, NetSupport Manager for Solaris v9.50, NetSupport Manager for Mac OS X v11.00 and likely all previous releases for these platforms {Not Vulnerable} Netsupport Manager for Windows v11.00 {Unknown} Netsupport Manager for Windows CE v11.00, Netsupport Manager for Pocket PC v11.00, NetSupport Manager for DOS v7.01 and other products based on the same codebase (e.g. NetSupport School) [Proof-Of-Concept] A reliable standalone exploit for the NetSupport Manager Linux (releases v11.0.0 and v10.50.0) has been developed: http://www.ikkisoft.com/stuff/netsupport_linux.txt If you have spare time, please consider to port this exploit in Metasploit :) [Fix Information] As far as I know, this vulnerability is still unpatched. In the meantime, users can either disable the service or allow access from a specific IP only. Back in 2007, folks at Digital Defense, Inc. have published a similar vulnerability (the same?) in the Windows agent. A few days later, the vendor patched the flaw without providing any acknowledge. As no technical details are available, I cannot confirm that it is exactly the same flaw. Cheers, @_ikki _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists