what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solarwinds Dameware Mini Remote Code Execution

Solarwinds Dameware Mini Remote Code Execution
Posted Mar 18, 2016
Authored by b0yd

A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.

tags | advisory, remote, overflow
advisories | CVE-2016-2345
SHA-256 | 390aaf7607e85e8afb085d15df6d452b7949bc6e25747b8967ebc5477a0bd05b

Solarwinds Dameware Mini Remote Code Execution

Change Mirror Download
Document Title:
===============
Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability

References (Source):
====================
http://www.kb.cert.org/vuls/id/897144
https://www.securifera.com/advisories/cve-2016-2345
http://www.dameware.com/products/mini-remote-control/product-overview.aspx

Release Date:
=============
2016-03-17

Product & Service Introduction:
===============================
Solarwinds Dameware Mini Remote Control allows for the remote administration of client systems of various operating system and architecture.

Vulnerability Information:
==============================
Class: CWE-121: Stack-based Buffer Overflow
Impact: Remote Code Execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-2345

Vulnerability Description:
==============================
A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.

Vulnerability Disclosure Timeline:
==================================
2015-12-17: Contact Solarwinds and Request Security Contact Info From Support Team
2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info Request
2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact with Security Team Again
2016-12-31: Vendor Replies That “Details” Were Forwarded To Developers Although None Have Been Requested Or Given Yet
2016-01-08: Follow-up with Vendor; Send POC for Developers
2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers
2016-01-20: Enlist US-CERT Assistance with Vendor
2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor
2016-02-04: Follow-Up with Vendor to Receive Patch
2016-02-04: Vendors Sends Patch
2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again
2016-02-04: Vendors Forwards to Developers
2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security Team Independantly
2016-03-03: Follow-up With Vendor
2016-03-03: Vendor Requests Remote Access to Our System
2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For Vulnerability & Notify Of Impending 90 Disclosure Date
2016-03-08: Vendor Forwards to Developers
2016-03-17: Coordinated Public Disclosure with US-CERT


Affected Product(s):
====================
Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been verified )

Severity Level:
===============
High

Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.

Solution - Fix & Patch:
=======================
There is currently no patch. Please block remote access to port 6129 at a minimum.

Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0)

Credits & Authors:
==================
Securifera, Inc - b0yd

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems.

Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social: twitter.com/securifera

Copyright © 2016 | Securifera, Inc
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close