[Full-disclosure] Dameware critical hole
ad_at_class101.org
Date: 08/31/05
- Previous message: Dave Korn: "[Full-disclosure] Re: Fwd: Disk Cleaning Tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.grok.org.uk> Date: Wed, 31 Aug 2005 21:54:20 +0100
haven't notice any warning about this but someone posted that POC to my forum and is confirming that it works, this is urgent to update your dameware .....
/************************************************************************************************
* _ ______
* (_)___ ____ ____ / ____/
* / / __ \/ __ \/ __ \/___ \
* / / /_/ / / / / /_/ /___/ /
* __/ / .___/_/ /_/\____/_____/
* /___/_/======================
*************************************************************************************************
*
* DameWare Mini Remote Control Client Agent Service
* Another Pre-Authentication Buffer Overflow
* By Jackson Pollocks No5
* www.jpno5.com
*
*
* Summary
* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* DameWare Mini Remote Control is "A lightweight remote control intended primarily
* for administrators and help desks for quick and easy deployment without
* external dependencies and machine reboot.
*
* Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
* DameWare Mini Remote Control is capable of using the Windows challenge/response authentication
* and is able to be run as both an application and a service.
*
* Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings,
* Inactivity control, TCP only, Service Installation and Ping."
*
* A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
* who can access the DameWare Mini Remote Control Server.
*
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP.
* An attacker can construct a specialy crafted packet and exploit this vulnerability.
* The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
*
*
* Severity: Critical
*
* Impact: Code Execution
*
* Local: Yes
*
* Remote: Yes
*
* Patch: Download version 4.9.0 or later and install over your existing installation.
* You can download the latest version of your DameWare Development Product at
* http://www.dameware.com/download
*
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9
* of the Mini Remote Client Agent Service (dwrcs.exe).
*
* Discovery: i discovered this while using the dameware mini remote control client.
* i accidently pasted in a large string of text instead of my username.
* Clicking connect led to a remote crash of the application server.
*
* Credits: Can't really remember who's shellcode i used, more than likely it was
* written by Brett Moore.
*
* The egghunter was written by MMiller(skape). {Which kicks ass btw}
*
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm
* universal syscall down.
*
* Some creds to A*** as well, i did code my own exploit but it had none
* of that fancy *** like OS and SP detection. So basicly i just modded
* the payload from the old dameware exploit(ver 3.72).
*
* A little cred to me as well, after all i did put all them guys great
* work together to make something decent
*
************************************************************************************/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Dave Korn: "[Full-disclosure] Re: Fwd: Disk Cleaning Tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
