[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2016-2345] Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [CVE-2016-2345] Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability
From: contact@xxxxxxxxxxxxxx
Date: Thu, 17 Mar 2016 16:30:01 GMT

Document Title:
===============
Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability

References (Source):
====================
http://www.kb.cert.org/vuls/id/897144
https://www.securifera.com/advisories/cve-2016-2345
http://www.dameware.com/products/mini-remote-control/product-overview.aspx

Release Date:
=============
2016-03-17

Product & Service Introduction:
===============================
Solarwinds Dameware Mini Remote Control allows for the remote administration of 
client systems of various operating system and architecture. 

Vulnerability Information:
==============================
Class: CWE-121: Stack-based Buffer Overflow
Impact: Remote Code Execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-2345

Vulnerability Description:
==============================
A certain remote message parsing function inside the Dameware Mini Remote 
Control service does not properly validate the input size of an incoming string 
before passing it to wsprintfw.  As a result, a specially crafted message can 
overflow into the bordering format field and subsequently overflow the stack 
frame. Exploitation of this vulnerability does not require authentication and 
can lead to SYSTEM level privilege on any system running the dwmrcs daemon.

Vulnerability Disclosure Timeline:
==================================
2015-12-17: Contact Solarwinds and Request Security Contact Info From Support 
Team
2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info 
Request
2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact 
with Security Team Again
2016-12-31: Vendor Replies That ?Details? Were Forwarded To Developers Although 
None Have Been Requested Or Given Yet
2016-01-08: Follow-up with Vendor; Send POC for Developers
2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers
2016-01-20: Enlist US-CERT Assistance with Vendor
2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor
2016-02-04: Follow-Up with Vendor to Receive Patch
2016-02-04: Vendors Sends Patch
2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of 
Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again
2016-02-04: Vendors Forwards to Developers
2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security 
Team Independantly
2016-03-03: Follow-up With Vendor
2016-03-03: Vendor Requests Remote Access to Our System
2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For 
Vulnerability & Notify Of Impending 90 Disclosure Date
2016-03-08: Vendor Forwards to Developers
2016-03-17: Coordinated Public Disclosure with US-CERT


Affected Product(s):
====================
Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been 
verified )

Severity Level:
===============
High

Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.

Solution - Fix & Patch:
=======================
There is currently no patch. Please block remote access to port 6129 at a 
minimum.

Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated as 
high. (CVSS 10.0)

Credits & Authors:
==================
Securifera, Inc - b0yd

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Securifera disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular 
purpose. Securifera is not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Securifera or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, policies, or hack into any systems.

Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social: twitter.com/securifera

Copyright © 2016 | Securifera, Inc

Prev by Date: Re: [ANNOUNCE] CVE-2016-0782: ActiveMQ Web Console - Cross-Site Scripting
Next by Date: [SECURITY] [DSA 3519-1] xen security update
Previous by thread: CVE-2016-1520: GrandStream Android VoIP App Update Redirection
Next by thread: [SECURITY] [DSA 3519-1] xen security update
Index(es):
- Date
- Thread