dameware.com

[Bryan]

Welcome to the Security Bulletins & Advisories notification area.

With the growing popularity of PC networking & broadband internet access, computer security becomes increasingly important. Although DameWare Development has an outstanding track record in regard to security, this new notification area is dedicated to providing information about potential security related issues in regard to DameWare Development products as well as instructions on how to improve system security in relation to those issues.

[Bryan]

DameWare Mini Remote Control Server Shatter Attack Local Privilege Escalation Vulnerability


Products affected by this update:

• DameWare NT Utilities version 3.70 and below
• DameWare Mini Remote Control version 3.70 and below

Severity: Low

Impact: Privilege Elevation

Local: Yes
Remote: No

Patch:

Upgrade local & remote machines to version 3.71.0.0 or later.

Details:

Additional information about this issue can be found at:
http://www.securityfocus.com/bid/8395

This issue was brought to our attention in August of 2003 by Ash (ash@felinemenace.org) and was immediately resolved (prior to public notification) with the release of version 3.71.0.0. This issue is actually a design flaw within the Microsoft Windows Operating System, specifically within the Win32 Windows Messaging SubSystem.

Please see the following link from Microsoft for more details:

Microsoft Security Bulletin MS02-071
Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-071.asp

Although the above Microsoft Security Bulletin specifically addresses the WM_TIMER message, apparently there are other Windows messages (for example: EM_SETWORDBREAKPROC) that can produce similar results that Microsoft has not addressed at this time.

In versions prior to 3.71.0.0, you can workaround this Microsoft security issue by hiding the SysTray icon. With the SysTray icon hidden, this vulnerability cannot be exploited. However, we recommend to upgrade to version 3.73 or higher, and then update the MRC Client Agent Service on all your remote machines.

[Bryan]

DameWare Mini Remote Control Client Agent Service Pre-Authentication Buffer Overflow Vulnerability

Products affected by this update:

• DameWare NT Utilities version 3.72 and below
• DameWare Mini Remote Control version 3.72 and below

Severity: Critical

Impact: Code Execution

Local: Yes
Remote: Yes

Patch:

Upgrade local & remote machines to version 3.73.0.0 or later.

Details:

Affected versions would be anything prior to version 3.73 of the Mini Remote Client Agent Service (Dwrcs.exe).

There was a potential Buffer Overflow issue in older versions of the Mini Remote Client Agent Service (DWRCS.EXE). Although we could not duplicate the Buffer Overflow issue at the time it was brought to our attention, we were able to successfully crash the Client Agent Service and therefore we immediately released an updated version of the software.

You may also want to consider using a different port number (something other than TCP 6129). TCP 6129 is the default port and it is also a very well known port number, however, any one of the valid 65,000+ TCP ports can be used.

Updating the Client Agent Service on your remote machines:

If the remote machines are running Windows NT4/2000/XP/2003, then the easiest and most efficient way to install the DMRC Client Agent Service to multiple machines is through the DameWare NT Utilities program. DNTU has the ability to remotely install the Mini Remote Control Client Agent Service to multiple machines at the same time including customization of the DWRCS.INI file. Please refer to the following FAQs for more information:

How to Install the Mini Remote Client Agent Service on Several Machines at the Same Time
http://www.dameware.com/support/kb/article.aspx?ID=100002

However, provided the necessary File & Printer Sharing ports were open between the local & remote machines, you can also select File / Remove Service and then File / Install Service from the Mini Remote Control main menu to update the Client Agent Service on your remote machine.

If the remote machine is running Windows 95/98/Me, then you may also want to consider using the DameWare Installer Tool (DWRCSInstall.exe) avaliable in these older 3.x versions) which will can create a custom installer package for Windows 9x that can be run from a login script, network share, or via e-mail distribution.


Additional information about the Buffer Overflow Issue can be found here:

http://www.securityfocus.com/bid/9213

Time Table:

Nov 23rd, First contact with WirePair
Nov 24th, We respond to WirePair stating we will investigate the issue
Nov 26th, Supplied hotfix to WirePair to re-test.
Nov 27th, WirePair responds that hotfix resolves the Buffer Overflow issue.
Dec 04th, Version 3.73 released for download.
Dec 14th, Advisory is released by WirePair.
Dec 20th, WirePair releases his exploit code.

[Bryan]

DameWare Mini Remote Control Encryption Key issue

Products affected by this update:

• DameWare NT Utilities v3.73 or 4.1 and below
• DameWare Mini Remote Control v3.73 or 4.1 and below

Severity: Important

Impact: Encrypted Data Disclosure

Local: No
Remote: Yes

Patch:

For version 3.x, install version 3.74 or higher.
For version 4.x, install version 4.2 or higher.

Details:

There was a design flaw in DameWare Mini Remote Control's 128-bit Encryption scheme, whereby it could potentially reveal the session encryption key to an attacker. However, the entire concept of this vulnerability is based upon an attackers ability to capture and analyze TCP packets between the host and client machine.


Affected features include: 128-bit Windows Logon Authentication, Simple File Transfer Encryption, Encrypted General Data (keystrokes), Encrypted Images.


Additional information about this Encryption Key Issue can be found here:

http://www.securityfocus.com/bid/9909
http://www.securityfocus.com/bid/9959


Time Table:

• March 17th, ax09001h@hotmail.com releases information directly to SecurityFocus regarding Weak Encryption Key
• March 23rd, ax09001h@hotmail.com releases information directly to SecurityFocus regarding Encryption Key Disclosure
• March 23rd, DameWare Development notified by one of it's customers
• March 26th, DameWare Development releases versions 3.74 & 4.2 to resolve the reported Encryption issue.

[Bryan]

(HOAX) Dameware Mini Remote Control Version 4.2 Weak Key Agreement Scheme

Products affected by this update:

• DameWare NT Utilities
• DameWare Mini Remote Control

Severity: None

Impact: None

Local: No
Remote: No

Patch:

None Required

Details:

A false security report was released to the Security Focus website.

The information submitted by ax09001h@hotmail.com to Security Focus (Bugtraq Bid ID 10254) was not an exploit, nor a vulnerability, and therefore inaccurate & misleading. Furthermore, the information submitted by ax09001h@hotmail.com had nothing to do with obtaining the Session Encryption Key, nor did it reveal any confidential information. It was entirely "pre-authentication" information that had nothing to do with the Session Encryption Key, and it could not be used to obtain the actual Session Encryption Key.

ax09001h@hotmail.com made no attempts to contact DameWare Development directly to verify this claim before releasing the information. It is extremely irresponsible for anyone to release this kind of information without first contacting the vendor to verify its accuracy. Based on his or her actions it's fairly obvious that this anonymous person and or company are deliberately attempting to discredit DameWare Development & its Mini Remote Control program.

DameWare Development contacted Security Focus in May of 2004 and requested this bogus information be removed from their website.

[Bryan]

DameWare Mini Remote Control Server Potential Privilege Escalation

Products affected by this update:

• DameWare NT Utilities version 4.8 & below, including v3.74 & below
• DameWare Mini Remote Control version 4.8 and below, including v3.74 & below

Severity: Low

Impact: Privilege Elevation

Local: No
Remote: Yes

Patch:

For version 3.x customers, upgrade to version 3.80.
For version 4.x customers, upgrade to version 4.9 or above.

Unfortunately, these older 3.x and 4.x versions of the software are no longer supported. However, you can send an email to our Support Department at support@dameware.com, and include your registration/activation information from your older version of the software for verification. Once we have verified your information, we will email you a temporary link to download this older version of the software.

Details:

This issue was discovered in April of 2005 by DameWare Development's internal staff and was immediately resolved with the release of version 3.80 and version 4.9.

Issue:

A Potential Privilege Escalation issue exists whereby an authenticated user with non-Administrator rights may be able to elevate their rights on a remote machine.

Recommendation:

Download & install the appropriate version of the software listed above, and then update the Mini Remote Client Agent on the remote machine to this new version of the software.