'[Full-Disclosure] Landesk Management Suite IRCRBOOT.DLL buffer overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Landesk Management Suite IRCRBOOT.DLL buffer overflow
From:       "Tri Huynh" <trihuynh () zeeup ! com>
Date:       2003-12-27 17:37:21
[Download RAW message or body]

Landesk Management Suite IRCRBOOT.DLL buffer overflow
 =================================================

 PROGRAM: Landesk Management Suite
HOMEPAGE: http://www.landesk.com
VULNERABLE VERSIONS: 8.0 (untested, but highly possible vulnerable)
                                               7.0 and below (tested)


 DESCRIPTION
 =================================================

 Landesk Management Suite is the flagship of LANDesk family of
 systems  management products in managing medium-to-large networks.
LANDesk® Management Suite enables IT professionals to automate systems
management tasks and proactively control desktops, servers and mobile
devices - all from a single console.


 DETAILS
 =================================================

Continuing our goal on cleaning dangerous ActiveX/COM components in
popular products, we have developed a Fuzzing Tool for ActiveX/COM
called "XKnight" (Not XXX, you perverts ! 8-) . XKnight works by fuzzing
the interface of the component to hunt for low-hanging fruits. And
fortunately, there are so many low-hanging fruits out there !!!

 IRCRBOOT.DLL  is an ActiveX/COM component that comes with
 Landesk Management Suite. YAUTO.DLL is registered under a CLSID named
 "DACBF5A1-33C5-11D3-A97E-00C04F72C145". In this component,
 function SetClientAddress(bszAddr as String) is vulnerable to a
 bufferoverflow  attack when argument bszAddr is passed with a long string.
 Since this is an ActiveX component, the vulnerability can
 be exploited just by making a website with the correct CLSID of
 the ActiveX and calling the function directly.


 WORKAROUND
 =================================================

 Waiting and apply the patch from vendor and/or remove the file
 temporary. Vendor is contacted (privacy@landesk.com) more than
3 weeks and they don't give a damn ! By the way, they don't put
an email on their website for contacting regarding about security problems.



 CREDITS
 =================================================

 Discovered by Tri Huynh from SentryUnion


 DISLAIMER
 =================================================

 The information within this paper may change without notice. Use of
 this information constitutes acceptance for use in an AS IS condition.
 There are NO warranties with regard to this information. In no event
 shall the author be liable for any damages whatsoever arising out of
 or in connection with the use or spread of this information. Any use
 of this information is at the user's own risk.


 FEEDBACK
 =================================================

 Please send suggestions, updates, and comments to: trihuynh@zeeup.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic