Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Dameware Remote Mini Controller Multiple Vulnerabilities

High

Synopsis

1) Unauthenticated Remote Heap buffer overflow

A client negotiates a session key with DWRCS.exe by performing a Diffie-Hellman (DH) key exchange. The key exchange is carried out in a message with the following format:

struct MSG_000105b9
{
	le32 MsgType;	// must be 0x000105b9
	byte unk[4];
	le32 status;		// 0 - no error
	byte msg[4096]; 	// error msg
	byte SrvDHPubKey[1024];
	le32 SrvDHPubKeyLen;
	le32 CltDHSharedSecretLen;    // length of client-computed DH shared secret
	le32 CltDHSharedSecretByteSum;// client-computed sum of all bytes in the secret
	byte CltDHPubKey;
	le32 CltDHPubKeyLen;
	le32 SrvDHSharedSecretLen;    // length of server-computed DH shared secret
	le32 SrvDHSharedSecretByteSum;// server-computed sum of all bytes in the secret
	byte RsaSignature[2048];      // client-generated signature of the shared secret with RSA_SHA512
	le32 RsaSignatureLen;
	byte RsaPubKey[2048];         // client's RSA public key in DER format
	le32 RsaPubKeyLen;
	...
}

The server does not perform proper validation on CltDHPubKeyLen, RsaSignatureLen, and RsaPubKeyLen. An unauthenticated remote attacker can cause a heap buffer overflow by specifying a large RsaPubKeyLen:

.text:100034F3      mov     edi, [esp+343Ch+var_msg.RsaPubKeyLen] ; attacker-controlled
.text:100034FA      push    edi ; size_t
.text:100034FB      lea     eax, [esp+3440h+var_msg.RsaPubKey] ; attacker-controlled
.text:10003502      push    eax ; void *
.text:10003503      lea     ecx, [esi+obj205c.RsaPubKey] ; heap buffer overflow !!!
.text:10003509      push    ecx ; void *
.text:1000350A      call    _memcpy

Windbg crash dump:

(a98.bd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\dwrcs\DWRCRSS.dll - 
eax=83354b0f ebx=00000000 ecx=1fffe920 edx=00000003 esi=0335a68c edi=01467000
eip=01e335fa esp=03352ac0 ebp=03352ac8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
DWRCRSS!PBE_InitKey+0x3f44a:
01e335fa f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:023> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 03352ac8 01df350f 01461484 03354b10 7fffffff DWRCRSS!PBE_InitKey+0x3f44a
*** ERROR: Module load completed but symbols could not be loaded for C:\Windows\dwrcs\DWRCS.EXE
01 03355f64 004d19c2 00ee1168 00000000 7ffae000 DWRCRSS+0x350f
02 0335f8b4 004cddd8 f5cba9f8 00000000 00ef6328 DWRCS+0xd19c2
03 0335fd78 004ceb49 00000000 f5cbabc4 00000000 DWRCS+0xcddd8
04 0335ff44 006a08dd 00f17388 f5cbabfc 00000000 DWRCS+0xceb49
05 0335ff7c 006a0985 00000000 0335ff94 76fcef3c DWRCS+0x2a08dd
06 0335ff88 76fcef3c 00ef6328 0335ffd4 77d83618 DWRCS+0x2a0985
07 0335ff94 77d83618 00ef6328 79793141 00000000 kernel32!BaseThreadInitThunk+0xe
08 0335ffd4 77d835eb 006a0903 00ef6328 00000000 ntdll!__RtlUserThreadStart+0x70
09 0335ffec 00000000 006a0903 00ef6328 00000000 ntdll!_RtlUserThreadStart+0x1b

2) Unauthenticated Remote Buffer Over-read (large client DH public key length)

An unauthenticated remote attacker can cause a buffer over-read by specifying a large CltDHPubKeyLen value (i.e., 0xffffff):

(694.630): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\dwrcs\DWRCRSS.dll - 
eax=023cffff ebx=023c2a0c ecx=03390020 edx=00000000 esi=003fcfbf edi=0023bcd5
eip=01ff5aa0 esp=023c29b0 ebp=00000003 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
DWRCRSS!PBE_InitKey+0x118f0:
01ff5aa0 0fb64802        movzx   ecx,byte ptr [eax+2]       ds:0023:023d0001=??
0:021> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 023c29bc 02018df2 023c2a0c 023c3f00 00ffffff DWRCRSS!PBE_InitKey+0x118f0
01 00000000 00000000 00000000 00000000 00000000 DWRCRSS!PBE_InitKey+0x34c42

A MSG_000105b9 structure on the stack is used to store the message received from the client, so the CltDHPubKey is also on the stack. The CltDHPubKey is being accessed for CltDHPubKeyLen bytes. This could result in read access violation if the range CltDHPubKey + CltDHPubKeyLen touches an inaccessible page. However, if the range is covered by accessible pages, the access violation will not occur. In this case, the server will compute a wrong DH shared secret.

3) Unauthenticated Remote Buffer Over-read (large RSA signature length)

This is similar to 2) but with a large RsaSignatureLen in MSG_000105b9:

(fe4.ecc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\dwrcs\DWRCRSS.dll - 
eax=0225ffff ebx=01f56294 ecx=04610020 edx=00000000 esi=003fd0c2 edi=0005a56b
eip=01d75aa0 esp=0225287c ebp=00000003 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
DWRCRSS!PBE_InitKey+0x118f0:
01d75aa0 0fb64802        movzx   ecx,byte ptr [eax+2]       ds:0023:02260001=??
0:009> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 02252888 01d9b677 01f56294 0225430c 00ffffff DWRCRSS!PBE_InitKey+0x118f0
01 0225289c 01d8909e 022528dc 0225430c 00ffffff DWRCRSS!PBE_InitKey+0x374c7
02 022528f0 01d89334 01d89379 035fe670 0225292c DWRCRSS!PBE_InitKey+0x24eee
03 00000000 00000000 00000000 00000000 00000000 DWRCRSS!PBE_InitKey+0x25184

A MSG_000105b9 structure on the stack is used to store the message received from the client, so the RsaSignature is also on the stack. The RsaSignature is being accessed for RsaSignatureLen bytes. This could result in read access violation if the range RsaSignature + RsaSignatureLen touches an inaccessible page. However, if the range is covered by accessible pages, the access violation will not occur. In this case, the server will likely not able to verify the DH shared secret.

Other observations:

When negotiating a session key using Diffie-Hellman key exchange, DWRCRSS.dll (file version 12.1.0.34) uses a 128-bit DH prime (0xF51FFB3C6291865ECDA49C30712DB07B) and generator 3. The DH prime maybe too small to be secure. In addition, that prime number doesn't seem to be a prime at all:

# openssl prime -hex F51FFB3C6291865ECDA49C30712DB07B
F51FFB3C6291865ECDA49C30712DB07B is not prime

Further, the add sum of the all bytes in the DH shared secret is transmitted in the clear during the DH exchange. These factors may allow an attacker with captured traffic to recover the DH shared secret.

The DH shared secret is used to derive an AES key using PBKDF2, and the AES key is used to encrypt a login message that can contain the user name, password and domain. Knowing the DH shared secret may allow the attacker to obtain user login credentials on the DWRCS.exe host.

Disclosure Timeline

4/15/19 - Vulnerabilities discovered
4/19/19 - Tenable requests security contact from vendor.
4/26/19 - Tenable requests security contact from vendor.
4/26/19 - Solarwinds responds via customer support contact stating they've forwarded the information onward and closed the ticket. No further contact received.
5/3/19 - Tenable makes 3rd and final attempt to establish security contact.
5/3/19 - Solarwinds PSIRT makes contact.
5/3/19 - Tenable discloses details to vendor. New 90-day deadline is Aug. 1, 2019
5/6/19 - Solarwinds PSIRT acknowledges report.
5/15/19 - Tenable requests status update.
5/15/19 - Solarwinds PSIRT confirms validations of reported issues. Patches are in progress.
5/29/19 - Tenable requests status update.
6/4/19 - Tenable requests status update.
6/6/19 - Solarwinds PSIRT confirms vulns are patched.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.