Document Title: =============== Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability References (Source): ==================== http://www.kb.cert.org/vuls/id/897144 https://www.securifera.com/advisories/cve-2016-2345 http://www.dameware.com/products/mini-remote-control/product-overview.aspx Release Date: ============= 2016-03-17 Product & Service Introduction: =============================== Solarwinds Dameware Mini Remote Control allows for the remote administration of client systems of various operating system and architecture. Vulnerability Information: ============================== Class: CWE-121: Stack-based Buffer Overflow Impact: Remote Code Execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2016-2345 Vulnerability Description: ============================== A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon. Vulnerability Disclosure Timeline: ================================== 2015-12-17: Contact Solarwinds and Request Security Contact Info From Support Team 2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info Request 2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact with Security Team Again 2016-12-31: Vendor Replies That “Details” Were Forwarded To Developers Although None Have Been Requested Or Given Yet 2016-01-08: Follow-up with Vendor; Send POC for Developers 2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers 2016-01-20: Enlist US-CERT Assistance with Vendor 2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor 2016-02-04: Follow-Up with Vendor to Receive Patch 2016-02-04: Vendors Sends Patch 2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again 2016-02-04: Vendors Forwards to Developers 2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security Team Independantly 2016-03-03: Follow-up With Vendor 2016-03-03: Vendor Requests Remote Access to Our System 2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For Vulnerability & Notify Of Impending 90 Disclosure Date 2016-03-08: Vendor Forwards to Developers 2016-03-17: Coordinated Public Disclosure with US-CERT Affected Product(s): ==================== Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been verified ) Severity Level: =============== High Proof of Concept (PoC): ======================= A proof of concept will not be provided at this time. Solution - Fix & Patch: ======================= There is currently no patch. Please block remote access to port 6129 at a minimum. Security Risk: ============== The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0) Credits & Authors: ================== Securifera, Inc - b0yd Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems. Domains: www.securifera.com Contact: contact [at] securifera [dot] com Social: twitter.com/securifera Copyright © 2016 | Securifera, Inc