Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
From: Jordi Corrales <jordi@xxxxxxxxxxxx>
Date: Fri, 15 Apr 2005 15:00:48 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Jordi Corrales <jordi@xxxxxxxxxxxx>

Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability
         

- 1 - Introduction

DameWare NT Utilities is an enterprise system management application for 
Windows NT/2000/XP/2003 which provides an integrated collection of Microsoft 
Windows NT administration utilities incorporating a centralized interface for 
remote management of Windows NT/2000/XP/2003 Servers and Workstations

- 2 - Description -

Dameware NT Utilities and Mini Remote Control <= 4.9 have a vulnerability.

NT Utilities
-------------

When the process DNTUS26 located in the remote machine is dumped from memory to 
a file with PMDump can obtain the user and the password because both are stored 
in clear-text.
Viewing the event id of windows can know the user connected then only opening 
the dump file and searching the user can obtain the password looking for any 
clear-text in the same line of the user.

All utilities (disk,event,groups,open files..cmd view..) are vulnerable but if 
execute CMD Console (not cmd view) and dump the process, searching the word 
"Console" can obtain the user,password,remote user and remote host name.

For example

Console:CrowDat:myplaintextpassword:Y:N:Kurobudetsu:TAMICA2000

Mini Remote Control
-------------------

When the process DWRCS (remote machine or server machine) is dumped from memory 
to a file with PMDump can obtain information of program settings,user name and 
authentication type but not the password.

When the process DWRCC (client machine or local machine) is dumped from memory 
to a file with PMDump can obtain all
users,passwords,hostname/ip,alias and domain name stored for connect with 
alternate credentials, searching the word "sam computers" can find all.

To make easy find the user and password when i tested always find the user and 
password between a short range of lines. To open the txt files i used Notepad++ 
but with notepad or wordpad it's very slowly.

User&Password between lines..

41900-42000 in disk,event,groups,open-files,properties... (NT Utilities)
4550-4600 DWRCC (Mini Remote Control Client)
300-400 DWRCS (Mini Remote Control Server)


- 3 - How to fix it

If Dameware fix this bug download update to the new version

- 4 - Vendor Contact

08/04/2005 Notified to dameware

No response from vendor

- 5 - Credits -

Author: Jordi Corrales ( jordi[at]shellsec.net )
Editor: Fernando Ortega ( fernando[at]shellsec.net )
Date: 15/04/2005
Url: http://www.shellsec.net

Vendor: http://www.dameware.com
PMDump: http://ntsecurity.nu/toolbox/pmdump/
Notepad++: http://notepad-plus.sourceforge.net

English Advisory: http://www.shellsec.net/leer_advisory.php?id=7
Spanish Advisory: http://www.shellsec.net/leer_advisory.php?id=6

Prev by Date: [SECURITY] [DSA 708-1] New PHP3 packages fix denial of service
Next by Date: myBloggie 2.1.1
Previous by thread: [SECURITY] [DSA 708-1] New PHP3 packages fix denial of service
Next by thread: myBloggie 2.1.1
Index(es):
- Date
- Thread