Program: DameWare Mini Remote Control Server Version: Prior to 3.71.0.0 Impact: Users can escalate to SYSTEM Discovered: ash Writeup and exploits: ash 1) Background From DameWare Development web site: A lightweight remote control intended primarily for administrators and help desks for quick and easy deployment without external dependencies and machine reboot. Developed specifically for the 32 bit Windows environment (Windows 95/98/Me/NT/2000/XP), DameWare Mini Remote Control is capable of using the Windows challenge/response authentication and is able to be run both as an application and a service. Some additional features include View Only,Cursor control, Remote Clipboard, Performance Settings, Inactivity control, TCP only, Service Installation and Ping. 2) Description DameWare Mini Remote Control Server runs on the users desktop as SYSTEM. This is vulnerable to a shatter style attack. See below for a fix that resolves all currently known issues. 3) Notes As a guest user exploitation results in F:\Program Files\Resource Kit>WHOAMI.EXE NT AUTHORITY\SYSTEM This type of vulnerability requires some access to a desktop with DameWare server running. This is a local privalege escalation vulnerability. Proof of concept code to exploit this vulnerability is attached. 4) Detection Check your process list for DWRCS.exe running as SYSTEM Check the version. 5) Vendor status/notes/fixes/statements Dameware Development has repaired all current known vulnerabilities. Dameware Development will continue researching and developing alternate development methods to ensure their software remains secure. A fix is available from Dameware Development by downloading version 3.71.0.0 or later from their website.[1] References: http://www.dameware.com/download
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 03:30:16 PDT