The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DameWare NT Utilities Information Disclosure
------------------------------------------------------------------------
SUMMARY
" <http://www.dameware.com/> DameWare NT Utilities is an enterprise system
management application for Windows NT/2000/XP/2003 which provides an
integrated collection of Microsoft Windows NT administration utilities
incorporating a centralized interface for remote management of Windows
NT/2000/XP/2003 Servers and Workstations. All of the standard Windows
NT/2000/2003 Server and Windows NT/2000/XP Workstation utilities are
included, along with many DameWare NT Utilities custom NT tools including
Mini Remote Control and Exporter. Most of the standard utilities have been
drastically enhanced for superior performance, added functionality and
ease of use."
Information of users like password and other information may be retrieve
by attackers by dumping memory of Mini Remote Control and by reading plain
text files of NT Utilities.
DETAILS
Vulnerable Systems:
* Dameware NT Utilities and MiniRemote Control version 4.9 and prior
NT Utilities:
When the process DNTUS26 located in the remote machine is dumped from
memory to a file with PMDump can obtain the user and the password because
both are stored in clear-text. Viewing the event id of windows can know
the user connected then only opening the dump file and searching the user
can obtain the password looking for any clear-text in the same line of the
user.
All utilities (disk,event,groups,open files..cmd view..) are vulnerable
but if execute CMD Console (not cmd view) and dump the process, searching
the word "Console" can obtain the user,password,remote user and remote
host name.
Example:
Console:CrowDat:myplaintextpassword:Y:N:Kurobudetsu:TAMICA2000
Mini Remote Control:
When the process DWRCS (remote machine or server machine) is dumped from
memory to a file with PMDump can obtain information of program
settings,user name and authentication type but not the password.
When the process DWRCC (client machine or local machine) is dumped from
memory to a file with PMDump can obtain all
users,passwords,host-name/ip,alias and domain name stored for connect with
alternate credentials, searching the word "sam computers" can find all.
To make easy find the user and password when i tested always find the user
and password between a short range of lines.
Proof of Concept:
User and Password can be found between lines:
41900-42000 in disk, event, groups, open-files, properties... (NT
Utilities)
4550-4600 DWRCC (Mini Remote Control Client)
300-400 DWRCS (Mini Remote Control Server)
ADDITIONAL INFORMATION
The information has been provided by <mailto:jordi@shellsec.net> Jordi
Corrales.
The original article can be found at:
<http://www.shellsec.net/leer_advisory.php?id=7>
http://www.shellsec.net/leer_advisory.php?id=7
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
