A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.
390aaf7607e85e8afb085d15df6d452b7949bc6e25747b8967ebc5477a0bd05b
Document Title:
===============
Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability
References (Source):
====================
http://www.kb.cert.org/vuls/id/897144
https://www.securifera.com/advisories/cve-2016-2345
http://www.dameware.com/products/mini-remote-control/product-overview.aspx
Release Date:
=============
2016-03-17
Product & Service Introduction:
===============================
Solarwinds Dameware Mini Remote Control allows for the remote administration of client systems of various operating system and architecture.
Vulnerability Information:
==============================
Class: CWE-121: Stack-based Buffer Overflow
Impact: Remote Code Execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-2345
Vulnerability Description:
==============================
A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon.
Vulnerability Disclosure Timeline:
==================================
2015-12-17: Contact Solarwinds and Request Security Contact Info From Support Team
2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info Request
2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact with Security Team Again
2016-12-31: Vendor Replies That Details Were Forwarded To Developers Although None Have Been Requested Or Given Yet
2016-01-08: Follow-up with Vendor; Send POC for Developers
2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers
2016-01-20: Enlist US-CERT Assistance with Vendor
2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor
2016-02-04: Follow-Up with Vendor to Receive Patch
2016-02-04: Vendors Sends Patch
2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again
2016-02-04: Vendors Forwards to Developers
2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security Team Independantly
2016-03-03: Follow-up With Vendor
2016-03-03: Vendor Requests Remote Access to Our System
2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For Vulnerability & Notify Of Impending 90 Disclosure Date
2016-03-08: Vendor Forwards to Developers
2016-03-17: Coordinated Public Disclosure with US-CERT
Affected Product(s):
====================
Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been verified )
Severity Level:
===============
High
Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.
Solution - Fix & Patch:
=======================
There is currently no patch. Please block remote access to port 6129 at a minimum.
Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0)
Credits & Authors:
==================
Securifera, Inc - b0yd
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems.
Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social: twitter.com/securifera
Copyright © 2016 | Securifera, Inc