[32851] in bugtraq
DameWare Mini Remote Control Server <= 3.72 Buffer Overflow
daemon@ATHENA.MIT.EDU (wirepair)
Mon Dec 15 16:36:29 2003
From: "wirepair" <wirepair@roguemail.net>
To: bugtraq@securityfocus.com
Date: Sun, 14 Dec 2003 07:10:41 -0800
Message-ID: <web-23694505@gator.darkhorse.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Product: DameWare Mini Remote Control <= 3.72.0.0
Vulnerability: Pre-Authentication Buffer Overflow
Severity: High Risk
Status: Vendor responded very quickly and has resolved the issue in 3.73 and later.
The new version can be downloaded from http://www.dameware.com/downloads.
Description:
A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker
who can access the DameWare Mini Remote Control Server. By default (DameWare Remote Control
Server) DWRCS listens on port 6129 TCP. By constructing fake communication packets pretending
to be a client, we can cause a buffer overflow due to insecure calls to the strcpy (lstrcpyA)
functions inside of DWRCS.exe. This overflow is caused after the client finishes sending all
pre-authentication information. This includes local username, remote username, local NetBIOS
name, Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS name,
IP Address(s) of the client, and Version of the remote client. After this initial packet is sent,
the client sends the requested authentication type (in this case NTLMSSP.) If the username is
incorrect, the server will respond and then return from the vulnerable function.
Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with the current
Windows Service Pack level, as well as the Operating System Version in the second response packet. The OS
can be identified by 16th and 17th bytes of this packet.
This information can be used to find valid addresses for our op codes which we can change at will
depending on how the server responds. Next if we send all of the variables listed in the description
portion of this advisory, the server will respond whether or not authentication succeeded, or if
there was an error.
During the process of reading in these variables, the server copies these values using strcpy.
Since no bounds checking is done, when the authentication fails (or possibly even succeeds), we
can overwrite the return address on the stack and have the process call our code.
I would like to thank DameWare for taking this issue seriously and working quickly
and successfully in releasing a patch which eradicates this issue. Once again
this issue has been resolved in version 3.73 and later.
Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied me a hotfix to re-test.
Dec 4th, DameWare put hotfix (new version) Online for clients to download.
Dec 14th, This advisory is released.
Dec 20th, I plan on releasing my exploit code.
This advisory can also be found on my site:
http://sh0dan.org/files/dwmrcs372.txt
I have tested my code on 3.70 and 3.72 I presume other versions vulnerable.
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
