what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solarwinds Dameware Mini Remote Code Execution

Solarwinds Dameware Mini Remote Code Execution
Posted Mar 18, 2016
Authored by b0yd

A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.

tags | advisory, remote, overflow
advisories | CVE-2016-2345
SHA-256 | 390aaf7607e85e8afb085d15df6d452b7949bc6e25747b8967ebc5477a0bd05b

Solarwinds Dameware Mini Remote Code Execution

Change Mirror Download
Document Title:
===============
Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability

References (Source):
====================
http://www.kb.cert.org/vuls/id/897144
https://www.securifera.com/advisories/cve-2016-2345
http://www.dameware.com/products/mini-remote-control/product-overview.aspx

Release Date:
=============
2016-03-17

Product & Service Introduction:
===============================
Solarwinds Dameware Mini Remote Control allows for the remote administration of client systems of various operating system and architecture.

Vulnerability Information:
==============================
Class: CWE-121: Stack-based Buffer Overflow
Impact: Remote Code Execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-2345

Vulnerability Description:
==============================
A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.

Vulnerability Disclosure Timeline:
==================================
2015-12-17: Contact Solarwinds and Request Security Contact Info From Support Team
2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info Request
2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact with Security Team Again
2016-12-31: Vendor Replies That “Details” Were Forwarded To Developers Although None Have Been Requested Or Given Yet
2016-01-08: Follow-up with Vendor; Send POC for Developers
2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers
2016-01-20: Enlist US-CERT Assistance with Vendor
2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor
2016-02-04: Follow-Up with Vendor to Receive Patch
2016-02-04: Vendors Sends Patch
2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again
2016-02-04: Vendors Forwards to Developers
2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security Team Independantly
2016-03-03: Follow-up With Vendor
2016-03-03: Vendor Requests Remote Access to Our System
2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For Vulnerability & Notify Of Impending 90 Disclosure Date
2016-03-08: Vendor Forwards to Developers
2016-03-17: Coordinated Public Disclosure with US-CERT


Affected Product(s):
====================
Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been verified )

Severity Level:
===============
High

Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.

Solution - Fix & Patch:
=======================
There is currently no patch. Please block remote access to port 6129 at a minimum.

Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0)

Credits & Authors:
==================
Securifera, Inc - b0yd

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems.

Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social: twitter.com/securifera

Copyright © 2016 | Securifera, Inc
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close