DameWare Mini Remote Control is "A lightweight remote control intended primarily for administrators and help desks for quick and easy deployment without external dependencies and machine reboot. Developed specifically for the 32-bit Windows environment (Windows 95/98/Me/NT/2000/XP), DameWare Mini Remote Control is capable of using the Windows challenge/response authentication and is able to be run as both an application and a service. Some additional features include View Only, Cursor control, Remote Clipboard, Performance Settings, Inactivity control, TCP only, Service Installation and Ping."
A buffer overflow vulnerability can be exploited remotely by an unauthenticated attacker who can access the DameWare Mini Remote Control Server. By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. An attacker can construct a special UDP packet and exploit this vulnerability.
Vulnerable Systems:
* DameWare Mini Remote Control version 3.72 and prior
Immune Systems:
* DameWare Mini Remote Control version 3.73
By constructing fake communication packets pretending to be a client, we can cause a buffer overflow due to insecure calls to the strcpy (lstrcpyA) functions inside of DWRCS.exe. This overflow is caused after the client finishes sending all pre-authentication information. This includes local username, remote username, local NetBIOS name, Company Name, Registration Name, Registration Key, Date & time, lower case NetBIOS name, IP Address(s) of the client, and Version of the remote client. After this initial packet is sent, the client sends the requested authentication type (in this case NTLMSSP). If the username is incorrect, the server will respond and then return from the vulnerable function.
Technical Details:
When first communicating with the DWRCS, packet dumps showed the server responds with the current Windows Service Pack level, as well as the Operating System Version in the second response packet. The OS can be identified by 16th and 17th bytes of this packet. This information can be used to find valid addresses for our op codes that we can change at will depending on how the server responds.
Next, if we send all of the variables listed in the description above, the server will respond whether or not authentication succeeded, or if there was an error.
During the process of reading in these variables, the server copies these values using strcpy. Since no bounds checking is done, when the authentication fails (or possibly even succeeds), we can overwrite the return address on the stack and have the process call our code.
Vendor Status:
Wirepair would like to thank DameWare for taking this issue seriously and working quickly and successfully in releasing a patch that eradicates this issue.
Time Table:
Nov 21st, Vulnerability identified and Exploit written.
Nov 23rd, First contact with DameWare
Nov 24th, Response by DameWare stating they will inspect the issue.
Nov 26th, DameWare supplied us a HotFix to re-test.
Dec 4th, DameWare put HotFix (new version) Online for clients to download.
Dec 14th, This advisory is released.
