[NEWS] Neslo Desktop Rover Remote DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 04/21/05

  • Next message: SecuriTeam: "[EXPL] Microsoft MSHTA Script Execution Vulnerability (PoC, MS05-016)"
    To: list@securiteam.com
    Date: 21 Apr 2005 16:12:23 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Neslo Desktop Rover Remote DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.nelsosoftware.com> Desktop Rover is "a software application
    for Microsoft Windows that provides the features of a hardware KVM
    (Keyboard, Video, Mouse)". Desktop Rover is vulnerable to a denial of
    service (DoS). A remote attacker could send a specially crafted packet to
    trigger an invalid memory access to crash the application, resulting in a
    denial of service.

    DETAILS

    Vulnerable Systems:
     * Neslo Desktop Rover version 3.0

    Immune Systems:
     * Neslo Desktop Rover version 3.1

    By default the Desktop Rover listens on port 61427/TCP, it also
    conveniently opens up this port in the Windows XP personal firewall. This
    packet is an example packet that will cause a denial of service, there are
    more variations, but this will suffice for example.

    20:23:48.778009 192.168.28.133.32771 > 192.168.28.129.61427: P [tcp sum
    ok] 1:13(12) ack 1 win 5840 (DF) (ttl 64, id 24051, len 64)

         4500 0040 5df3 4000 4006 226e c0a8 1c85
         c0a8 1c81 8003 eff3 90a8 d150 7cda 8afa
         8018 16d0 daab 0000 0101 080a 0000 8cbe
         0000 0000 6352 0100 0000 0000 0000 0000

    Solution:
    The vendor is releasing a fix in version 3.1 soon which will address the
    vulnerability, until then restricting access to the Desktop Rover ports
    will reduce the risk of this vulnerability being exploited.

    Disclosure Timeline:
    4.14.2005 - Initial vendor contact by e-mail
    4.15.2005 - Initial vendor response. Vendor addressed vulnerability. Fix
    confirmed by EvilPacket Security Research
    4.19.2005 - Advisory released

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:evilpacket@gmail.com> Adam
    Baldwin.
    The original article can be found at:
    <http://www.evilpacket.net/advisories/EP-000-0003.html>
    http://www.evilpacket.net/advisories/EP-000-0003.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Microsoft MSHTA Script Execution Vulnerability (PoC, MS05-016)"

    Relevant Pages

    • [NEWS] Openfire Jabber-Server Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... filter which is responsible for authentication could be completely ... SQL injection vulnerability. ... Since the vendor didn't release a patch within the last 6 months it is ...
      (Securiteam)
    • [NT] Trend Micro HouseCall ActiveX Control Arbitrary Code Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Trend Micro HouseCall ActiveX Control Arbitrary Code Execution ... The vulnerability is caused due to an implementation error within the ... 18/08/2008 - Vendor notified. ...
      (Securiteam)
    • [NT] CA ARCserve Backup RPC "handle_t" Argument Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA ARCserve Backup RPC "handle_t" Argument Vulnerability ... 24/10/2007 - Vendor notified. ... 21/05/2008 - Vendor notifies expected release in October 2008. ...
      (Securiteam)
    • [UNIX] Multiple Vendor ImageMagick Sign Extension Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor ImageMagick Sign Extension Vulnerability ...
      (Securiteam)
    • [UNIX] Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary Commands
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Revin Aldi reported an input validation vulnerability in the Happymall ... The vendor reports that the 'member_html.cgi' script is also affected. ...
      (Securiteam)