[NEWS] Neslo Desktop Rover Remote DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 04/21/05

  • Next message: SecuriTeam: "[EXPL] Microsoft MSHTA Script Execution Vulnerability (PoC, MS05-016)"
    To: list@securiteam.com
    Date: 21 Apr 2005 16:12:23 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Neslo Desktop Rover Remote DoS


     <http://www.nelsosoftware.com> Desktop Rover is "a software application
    for Microsoft Windows that provides the features of a hardware KVM
    (Keyboard, Video, Mouse)". Desktop Rover is vulnerable to a denial of
    service (DoS). A remote attacker could send a specially crafted packet to
    trigger an invalid memory access to crash the application, resulting in a
    denial of service.


    Vulnerable Systems:
     * Neslo Desktop Rover version 3.0

    Immune Systems:
     * Neslo Desktop Rover version 3.1

    By default the Desktop Rover listens on port 61427/TCP, it also
    conveniently opens up this port in the Windows XP personal firewall. This
    packet is an example packet that will cause a denial of service, there are
    more variations, but this will suffice for example.

    20:23:48.778009 > P [tcp sum
    ok] 1:13(12) ack 1 win 5840 (DF) (ttl 64, id 24051, len 64)

         4500 0040 5df3 4000 4006 226e c0a8 1c85
         c0a8 1c81 8003 eff3 90a8 d150 7cda 8afa
         8018 16d0 daab 0000 0101 080a 0000 8cbe
         0000 0000 6352 0100 0000 0000 0000 0000

    The vendor is releasing a fix in version 3.1 soon which will address the
    vulnerability, until then restricting access to the Desktop Rover ports
    will reduce the risk of this vulnerability being exploited.

    Disclosure Timeline:
    4.14.2005 - Initial vendor contact by e-mail
    4.15.2005 - Initial vendor response. Vendor addressed vulnerability. Fix
    confirmed by EvilPacket Security Research
    4.19.2005 - Advisory released


    The information has been provided by <mailto:evilpacket@gmail.com> Adam
    The original article can be found at:


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Microsoft MSHTA Script Execution Vulnerability (PoC, MS05-016)"