i would assume that any command you can type localy is available as this is a remote control product ( trojan ) ie: this is a feature, not a flaw? wood ----- Original Message ----- From: <ashat_private> To: <bugtraqat_private>; <full-disclosureat_private> Sent: Wednesday, August 13, 2003 1:46 AM Subject: [Full-Disclosure] DameWare Mini-RC Shatter > Program: DameWare Mini Remote Control Server > Version: Prior to 3.71.0.0 > Impact: Users can escalate to SYSTEM > Discovered: ash > Writeup and exploits: ash > > 1) Background > > From DameWare Development web site: > A lightweight remote control intended primarily for administrators > and help desks for quick and easy deployment without external > dependencies and machine reboot. Developed specifically for the 32 bit > Windows environment (Windows 95/98/Me/NT/2000/XP), DameWare Mini Remote > Control is capable of using the Windows challenge/response authentication > and is able to be run both as an application and a service. > Some additional features include View Only,Cursor control, Remote > Clipboard, Performance Settings, Inactivity control, TCP only, > Service Installation and Ping. > > 2) Description > > DameWare Mini Remote Control Server runs on the users desktop as SYSTEM. > This is vulnerable to a shatter style attack. > See below for a fix that resolves all currently known issues. > > 3) Notes > > As a guest user exploitation results in > > F:\Program Files\Resource Kit>WHOAMI.EXE > NT AUTHORITY\SYSTEM > > This type of vulnerability requires some access to a desktop > with DameWare server running. > > This is a local privalege escalation vulnerability. > > Proof of concept code to exploit this vulnerability is attached. > > 4) Detection > > Check your process list for DWRCS.exe running as SYSTEM > Check the version. > > 5) Vendor status/notes/fixes/statements > > Dameware Development has repaired all current known vulnerabilities. > > Dameware Development will continue researching and developing alternate > development methods to ensure their software remains secure. > > A fix is available from Dameware Development by downloading version > 3.71.0.0 or later from their website.[1] > > > References: > > http://www.dameware.com/download > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 04:32:38 PDT