[Snort-sigs] Dameware Mini-Remote Exploit Signature

Mike Rabinowitz mrabinowitz at ...2405...
Wed Apr 21 16:24:01 EDT 2004


# This is a template for submitting snort signature descriptions to 
# the snort.org website 
# 
# Ensure that your descriptions are your own 
# and not the work of others. References in the rules themselves 
# should be used for linking to other's work. 
# 
# If you are unsure of some part of a rule, use that as a commentary 
# and someone else perhaps will be able to fix it. 
# 
# $Id$ 
# 
# 

Rule: alert tcp any any -> any any (msg:"Dameware Mini-Remote Control Buffer Overflow "; flow: established; content:"90 90 90 90 90 90 90 90 90 90 90 90 90 90"; offset:116; depth:14; content:?6320 377c eb03 5deb 05e8 f8ff ffff?; within: 256; reference:url,sh0dan.org/files/dwmrcs372.txt; reference:url,http://www.kb.cert.org/vuls/id/909678; classtype:attempted-admin;)

-- 
Sid: 

-- 
Summary:  A vulnerability to buffer overruns in Dameware 3.72 and lower can allow an unauthenticated attacker to gain elevated system privileges

-- 
Impact:  High in environments which employ vulnerable versions of Dameware.  TCP 6129, typically associated with Dameware has been among the Top Ten scanned ports at http://isc.incidents.org/ for months.

-- 
Detailed Information:  Because the Dameware server makes use of the inherently unsafe C library function strcpy in its inital communication with a Dameware client, it is possible just by impersonating the client to execute exploit code.

Typical of many buffer overruns, this exploit makes use of the NOP Sled to overrun the memory space used by strcpy.  After this, any exploit code can be delivered.

-- 
Affected Systems:  Windows systems with Dameware 3.72 and lower installed.

-- 
Attack Scenarios: 

-- 
Ease of Attack:  sh0dan already provided exploit code.  Here is one version:  http://www.securityfocus.com/data/vulnerabilities/exploits/DameWare-MRC-Remote.c

-- 
False Positives:  None known

-- 
False Negatives:  None known
-- 
Corrective Action:  Upgrade to Dameware 3.73.

-- 
Contributors:  Mike Rabinowitz

-- 
Additional References: 










More information about the Snort-sigs mailing list