[NT] DameWare Mini Remote Control Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 12/17/03

  • Next message: SecuriTeam: "[UNIX] osCommerce SQL Injection Vulnerability (create_account_process.php)" 
    To: list@securiteam.com
Date: 17 Dec 2003 08:59:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      DameWare Mini Remote Control Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.dameware.com/products/> DameWare Mini Remote Control is "A
    lightweight remote control intended primarily for administrators and help
    desks for quick and easy deployment without external dependencies and
    machine reboot. Developed specifically for the 32-bit Windows environment
    (Windows 95/98/Me/NT/2000/XP), DameWare Mini Remote Control is capable of
    using the Windows challenge/response authentication and is able to be run
    as both an application and a service. Some additional features include
    View Only, Cursor control, Remote Clipboard, Performance Settings,
    Inactivity control, TCP only, Service Installation and Ping."

    A buffer overflow vulnerability can be exploited remotely by an
    unauthenticated attacker who can access the DameWare Mini Remote Control
    Server. By default (DameWare Remote Control Server) DWRCS listens on port
    6129 TCP. An attacker can construct a special UDP packet and exploit this
    vulnerability.

    DETAILS

    Vulnerable Systems:
     * DameWare Mini Remote Control version 3.72 and prior

    Immune Systems:
     * DameWare Mini Remote Control version 3.73

    By constructing fake communication packets pretending to be a client, we
    can cause a buffer overflow due to insecure calls to the strcpy (lstrcpyA)
    functions inside of DWRCS.exe. This overflow is caused after the client
    finishes sending all pre-authentication information. This includes local
    username, remote username, local NetBIOS name, Company Name, Registration
    Name, Registration Key, Date & time, lower case NetBIOS name, IP
    Address(s) of the client, and Version of the remote client. After this
    initial packet is sent, the client sends the requested authentication type
    (in this case NTLMSSP). If the username is incorrect, the server will
    respond and then return from the vulnerable function.

    Technical Details:
    When first communicating with the DWRCS, packet dumps showed the server
    responds with the current Windows Service Pack level, as well as the
    Operating System Version in the second response packet. The OS can be
    identified by 16th and 17th bytes of this packet. This information can be
    used to find valid addresses for our op codes that we can change at will
    depending on how the server responds.

    Next, if we send all of the variables listed in the description above, the
    server will respond whether or not authentication succeeded, or if there
    was an error.

    During the process of reading in these variables, the server copies these
    values using strcpy. Since no bounds checking is done, when the
    authentication fails (or possibly even succeeds), we can overwrite the
    return address on the stack and have the process call our code.

    Vendor Status:
    Wirepair would like to thank DameWare for taking this issue seriously and
    working quickly and successfully in releasing a patch that eradicates this
    issue.

    Time Table:
    Nov 21st, Vulnerability identified and Exploit written.
    Nov 23rd, First contact with DameWare
    Nov 24th, Response by DameWare stating they will inspect the issue.
    Nov 26th, DameWare supplied us a HotFix to re-test.
    Dec 4th, DameWare put HotFix (new version) Online for clients to download.
    Dec 14th, This advisory is released.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://sh0dan.org/files/dwmrcs372.txt>
    http://sh0dan.org/files/dwmrcs372.txt.

    The information has been provided by <mailto:wirepair@roguemail.net>
    wirepair.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] osCommerce SQL Injection Vulnerability (create_account_process.php)"

    Relevant Pages