Full Disclosure mailing list archives
Dameware critical hole
From: <ad () class101 org>
Date: Wed, 31 Aug 2005 21:54:20 +0100
haven't notice any warning about this but someone posted that POC to my forum and is confirming that it works, this is urgent to update your dameware ..... /************************************************************************************************ * _ ______ * (_)___ ____ ____ / ____/ * / / __ \/ __ \/ __ \/___ \ * / / /_/ / / / / /_/ /___/ / * __/ / .___/_/ /_/\____/_____/ * /___/_/====================== ************************************************************************************************* * * DameWare Mini Remote Control Client Agent Service * Another Pre-Authentication Buffer Overflow * By Jackson Pollocks No5 * www.jpno5.com * * * Summary * +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ * DameWare Mini Remote Control is "A lightweight remote control intended primarily * for administrators and help desks for quick and easy deployment without * external dependencies and machine reboot. * * Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP), * DameWare Mini Remote Control is capable of using the Windows challenge/response authentication * and is able to be run as both an application and a service. * * Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings, * Inactivity control, TCP only, Service Installation and Ping." * * A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker * who can access the DameWare Mini Remote Control Server. * * By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. * An attacker can construct a specialy crafted packet and exploit this vulnerability. * The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username. * * * Severity: Critical * * Impact: Code Execution * * Local: Yes * * Remote: Yes * * Patch: Download version 4.9.0 or later and install over your existing installation. * You can download the latest version of your DameWare Development Product at * http://www.dameware.com/download * * Details: Affected versions will be any ver in above 4.0 and prior to 4.9 * of the Mini Remote Client Agent Service (dwrcs.exe). * * Discovery: i discovered this while using the dameware mini remote control client. * i accidently pasted in a large string of text instead of my username. * Clicking connect led to a remote crash of the application server. * * Credits: Can't really remember who's shellcode i used, more than likely it was * written by Brett Moore. * * The egghunter was written by MMiller(skape). {Which kicks ass btw} * * Thanks to spoonm for tracking that NtAccessCheckAndAuditAlarm * universal syscall down. * * Some creds to Adik as well, i did code my own exploit but it had none * of that fancy shit like OS and SP detection. So basicly i just modded * the payload from the old dameware exploit(ver 3.72). * * A little cred to me as well, after all i did put all them guys great * work together to make something decent * ************************************************************************************/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Dameware critical hole ad (Aug 31)
- Re: Dameware critical hole TheGesus (Aug 31)
- <Possible follow-ups>
- Re: Dameware critical hole Fergie (Paul Ferguson) (Aug 31)