[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Dameware critical hole
From: <ad () class101 ! org>
Date: 2005-08-31 19:56:33
Message-ID: 000701c5ae6e$2969ead0$0400a8c0 () 0090F53F93E8
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
haven't notice any warning about this but someone posted that POC to my forum and is \
confirming that it works, this is urgent to update your dameware .....
/************************************************************************************************ \
* _ ______
* (_)___ ____ ____ / ____/
* / / __ \/ __ \/ __ \/___ \
* / / /_/ / / / / /_/ /___/ /
* __/ / .___/_/ /_/\____/_____/
* /___/_/======================
************************************************************************************************* \
*
* DameWare Mini Remote Control Client Agent Service
* Another Pre-Authentication Buffer Overflow
* By Jackson Pollocks No5
* www.jpno5.com
*
*
* Summary
* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* DameWare Mini Remote Control is "A lightweight remote control intended primarily
* for administrators and help desks for quick and easy deployment without
* external dependencies and machine reboot.
*
* Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
* DameWare Mini Remote Control is capable of using the Windows challenge/response \
authentication
* and is able to be run as both an application and a service.
*
* Some additional features include View Only, Cursor control, Remote Clipboard, Performance \
Settings,
* Inactivity control, TCP only, Service Installation and Ping."
*
* A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
* who can access the DameWare Mini Remote Control Server.
*
* By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP.
* An attacker can construct a specialy crafted packet and exploit this vulnerability.
* The vulnerability is caused by insecure calls to the lstrcpyA function when checking the \
username.
*
*
* Severity: Critical
*
* Impact: Code Execution
*
* Local: Yes
*
* Remote: Yes
*
* Patch: Download version 4.9.0 or later and install over your existing installation.
* You can download the latest version of your DameWare Development Product at
* http://www.dameware.com/download
*
* Details: Affected versions will be any ver in above 4.0 and prior to 4.9
* of the Mini Remote Client Agent Service (dwrcs.exe).
*
* Discovery: i discovered this while using the dameware mini remote control client.
* i accidently pasted in a large string of text instead of my username.
* Clicking connect led to a remote crash of the application server.
*
* Credits: Can't really remember who's shellcode i used, more than likely it was
* written by Brett Moore.
*
* The egghunter was written by MMiller(skape). {Which kicks ass btw}
*
* Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm
* universal syscall down.
*
* Some creds to Adik as well, i did code my own exploit but it had none
* of that fancy shit like OS and SP detection. So basicly i just modded
* the payload from the old dameware exploit(ver 3.72).
*
* A little cred to me as well, after all i did put all them guys great
* work together to make something decent
*
************************************************************************************/
[Attachment #7 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>haven't notice any warning about this but someone
posted that POC to my forum and is confirming that it works, this is
urgent to update your dameware .....</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>/************************************************************************************************
<BR>* _ ______ <BR>* (_)___ ____ ____ / ____/ <BR>* / / __ \/ __ \/ __ \/___ \
<BR>* / / /_/ / / / / /_/ /___/ / <BR>* __/ / .___/_/ /_/\____/_____/ <BR>*
/___/_/======================
<BR>*************************************************************************************************
<BR>* <BR>* DameWare Mini Remote Control Client Agent Service <BR>* Another
Pre-Authentication Buffer Overflow <BR>* By Jackson Pollocks No5 <BR>* <A
href="http://www.jpno5.com/" target=_blank>www.jpno5.com</A> <BR>* <BR>* <BR>*
Summary <BR>*
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<BR>* DameWare Mini Remote Control is "A lightweight remote control intended
primarily <BR>* for administrators and help desks for quick and easy deployment
without <BR>* external dependencies and machine reboot. <BR>* <BR>* Developed
specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP),
<BR>* DameWare Mini Remote Control is capable of using the Windows
challenge/response authentication <BR>* and is able to be run as both an
application and a service. <BR>* <BR>* Some additional features include View
Only, Cursor control, Remote Clipboard, Performance Settings, <BR>* Inactivity
control, TCP only, Service Installation and Ping." <BR>* <BR>* A buffer overflow
vulnerability can be exploited remotely by an unauthenticated attacker <BR>* who
can access the DameWare Mini Remote Control Server. <BR>* <BR>* By default
(DameWare Remote Control Server) DWRCS listens on port 6129 TCP. <BR>* An
attacker can construct a specialy crafted packet and exploit this vulnerability.
<BR>* The vulnerability is caused by insecure calls to the lstrcpyA function
when checking the username. <BR>* <BR>* <BR>* Severity: Critical <BR>* <BR>*
Impact: Code Execution <BR>* <BR>* Local: Yes <BR>* <BR>* Remote: Yes <BR>*
<BR>* Patch: Download version 4.9.0 or later and install over your existing
installation. <BR>* You can download the latest version of your DameWare
Development Product at <BR>* http://www.dameware.com/download <BR>* <BR>*
Details: Affected versions will be any ver in above 4.0 and prior to 4.9 <BR>*
of the Mini Remote Client Agent Service (dwrcs.exe). <BR>* <BR>* Discovery: i
discovered this while using the dameware mini remote control client. <BR>* i
accidently pasted in a large string of text instead of my username. <BR>*
Clicking connect led to a remote crash of the application server. <BR>* <BR>*
Credits: Can't really remember who's shellcode i used, more than likely it was
<BR>* written by Brett Moore. <BR>* <BR>* The egghunter was written by
MMiller(skape). {Which kicks ass btw} <BR>* <BR>* Thanks to spoonm for tracking
that NtAccessCheckAndAuditAlarm <BR>* universal syscall down. <BR>* <BR>* Some
creds to Adik as well, i did code my own exploit but it had none <BR>* of that
fancy shit like OS and SP detection. So basicly i just modded <BR>* the payload
from the old dameware exploit(ver 3.72). <BR>* <BR>* A little cred to me as
well, after all i did put all them guys great <BR>* work together to make
something decent <IMG alt=Smile
src="http://class101.org/images/smiles/icon_smile.gif" border=0> <BR>*
<BR>************************************************************************************/
<BR></DIV></BODY></HTML>
["icon_smile.gif" (image/gif)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic