[NT] DameWare NT Utilities Information Disclosure

From: SecuriTeam (support_at_securiteam.com)
Date: 04/20/05

  • Next message: SecuriTeam: "[NT] Yager Multiple Vulnerabilities (Multiple Buffer Overflows and DoS)" 
    To: list@securiteam.com
Date: 20 Apr 2005 12:06:05 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      DameWare NT Utilities Information Disclosure
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.dameware.com/> DameWare NT Utilities is an enterprise system
    management application for Windows NT/2000/XP/2003 which provides an
    integrated collection of Microsoft Windows NT administration utilities
    incorporating a centralized interface for remote management of Windows
    NT/2000/XP/2003 Servers and Workstations. All of the standard Windows
    NT/2000/2003 Server and Windows NT/2000/XP Workstation utilities are
    included, along with many DameWare NT Utilities custom NT tools including
    Mini Remote Control and Exporter. Most of the standard utilities have been
    drastically enhanced for superior performance, added functionality and
    ease of use."

    Information of users like password and other information may be retrieve
    by attackers by dumping memory of Mini Remote Control and by reading plain
    text files of NT Utilities.

    DETAILS

    Vulnerable Systems:
     * Dameware NT Utilities and MiniRemote Control version 4.9 and prior

    NT Utilities:
    When the process DNTUS26 located in the remote machine is dumped from
    memory to a file with PMDump can obtain the user and the password because
    both are stored in clear-text. Viewing the event id of windows can know
    the user connected then only opening the dump file and searching the user
    can obtain the password looking for any clear-text in the same line of the
    user.

    All utilities (disk,event,groups,open files..cmd view..) are vulnerable
    but if execute CMD Console (not cmd view) and dump the process, searching
    the word "Console" can obtain the user,password,remote user and remote
    host name.

    Example:
    Console:CrowDat:myplaintextpassword:Y:N:Kurobudetsu:TAMICA2000

    Mini Remote Control:
    When the process DWRCS (remote machine or server machine) is dumped from
    memory to a file with PMDump can obtain information of program
    settings,user name and authentication type but not the password.

    When the process DWRCC (client machine or local machine) is dumped from
    memory to a file with PMDump can obtain all
    users,passwords,host-name/ip,alias and domain name stored for connect with
    alternate credentials, searching the word "sam computers" can find all.

    To make easy find the user and password when i tested always find the user
    and password between a short range of lines.

    Proof of Concept:
    User and Password can be found between lines:
    41900-42000 in disk, event, groups, open-files, properties... (NT
    Utilities)
    4550-4600 DWRCC (Mini Remote Control Client)
    300-400 DWRCS (Mini Remote Control Server)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:jordi@shellsec.net> Jordi
    Corrales.
    The original article can be found at:
    <http://www.shellsec.net/leer_advisory.php?id=7>
    http://www.shellsec.net/leer_advisory.php?id=7

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Yager Multiple Vulnerabilities (Multiple Buffer Overflows and DoS)"

    Relevant Pages

    • [NT] Windows Embedded Open Type (EOT) Font Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way that Windows uncompresses Embedded Open Type ... fonts allow the author of a malicious web page to execute arbitrary code ... A heap overflow vulnerability exists in T2EMBED.DLL, ...
      (Securiteam)
    • [NT] Windows VDM #UD Local Privilege Escalation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability to fully compromise a Windows NT 4.0, Windows 2000, Windows ... 32-bit VDM "host" code, and the invalid opcode fault handler within the ... process).The kernel does not validate the address to which execution is ...
      (Securiteam)
    • [NT] Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Color Management Module Heap Buffer Overflow ... vulnerability in multiple versions of Microsoft Corp.'s Windows operating ... Keep in mind that this only blocks the attack vector through Windows ...
      (Securiteam)
    • [NT] Windows Workstation Service Remote Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Windows Workstation Creates and maintains client network connections ... the log file. ... The string arguments for this logging function are supplied as ...
      (Securiteam)
    • [REVS] Removing about:blank Homepage Hijacker
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... expanded with almost a dozen other checks against hijacker tricks. ... To Remove "About:Blank" Hijacker Adware In Windows XP Home edition Service ... The "value" window reveals the hidden file name. ...
      (Securiteam)