Remote Control
Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.
Severity: CA has given this vulnerability a maximum risk rating
Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.
Severity: CA has given this vulnerability a maximum risk rating
of High.
EEM 8.1, 8.2, 8.2.1
eTrust Audit/SCC 8.0 sp2
Identity Manager r12
NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11
Unicenter Asset Management r11.1, r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r2.2, r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2
Unicenter Software Delivery r11.1, r11.2
Unicenter Workload Control Center r11
scripts with this feature which were tested. They can all be exploited by the
same malicious mp3. This includes:
* irssi: from http://irssi.org/scripts/: ixmmsa.pl 0.3, l33tmusic.pl 2.00,
mpg123.pl 0.01, ogg123.pl 0.01, xmms.pl 2.0, xmms2.pl 1.1.3, xmmsinfo.pl
1.1.1.1
* XChat: many from http://xchat.org: xmms-thing 1.0, XMMS Remote Control
Script 1.07, Disrok 1.0, a2x 0.0.1, Another xmms-info script 1.0, XChat-XMMS
0.8.1, and more...
* weechat: from http://weechat.flashtux.org/: now-playing.rb, xmms.pl 1.1
* BitchX: from http://scripts.bitchx.org/: xmms.bx 1.0
* Konversation: included media script
SysAid IT Enterprise delivers the tools you need to meet any IT challenge - now and in the future.
Core Module(s):
Help Desk
Asset Management
Remote Control
End-User Web Portal
My Desktop
Mobile Application
Knowledge Base
Reports & Analysis
Vendor: Netsupport
Product: Netsupport Manager
Vendor contacted 11 Nov 2009, fixed 11 Jan 2010 in version 10.60.0006
Netsupport gateway is a feature packaged with the netsupport manager product."Delivering seamless Remote Control between PCs that may be located behind different firewalls. The NetSupport Gateway provides a stable and secure method for NetSupport enabled systems to locate and communicate via http."
In all versions prior to 10.60.0006 it is possible to remotely crash the service by simply telneting to the port and hitting return twice, thereby causing a DoS. In versions prior to 10.60.0005 this would only work from linux or mac hosts, however in 10.60.0005 (which was an attempt to fix the issue) it resulted in this working from both linux, mac & windows hosts. This variation was down to the differnces in carriage returns between OS's. I presume that the root issue was providing null header information though the vendor never confirmed.
regards
======================================================================
Secunia Research 02/02/2009
- Free Download Manager Remote Control Server Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Symantec PcAnywhere version 10 – 12.5
==================================================
2) Severity Rating: Low
==================================================
3) Description of Vulnerability
A local format string vulnerability was discovered within Symantec PcAnywhere version 10 thru 12.5 .The vulnerability is due to improper processing of format strings within (.CHF) remote control file names or associated file path . When special crafted format strings are entered as the file name (%s%s%s%s%s.chf) or within the path of the CHF file the format string vulnerability is triggered. Making it possible to read/write arbitrary memory and at a minimum cause a denial of service condition.
==================================================
4) Solution : Upgrade to version 12.5 SP1
==================================================
5) Time Table:
01/06/2009 Reported Vulnerability to Vendor.
and cannot be used for authenticating to the administration web interface.
Submitted commands are included within data1 form variable, sent via a
POST request to the web server, and executed with the httpd web server
privileges, that is running with root privileges on the system, allowing
for complete remote control of the access point.
Two additional variables, data2 and data3 are processed by web server
code, but are not present in the form on the debug web page.
Command injection is also possible in data2 and data3 payload by using
typical shell commands concatenation.
3. *Vulnerability Description*
Multiple integer overflow vulnerabilities have been discovered in
UltraVNC [1] and TightVNC [2], two (open source) remote control
applications derived from the popular VNC [3] software.
The vulnerabilities cause a miscalculation of a buffer size on the heap,
allowing an attacker to corrupt a VNC client heap and can probably allow
code execution (exploitation is very likely).
Details
*******
Attacker can construct html page which will call vulnerable function "Accept" from ActiveX Object SAPIrRfc with long parameter.
When user open this vulnerable page it will occur DOS (Example 1) or full remote control on target system (Example2 execute calc.exe aviable by request) .
Example1:
*********
TEHTRI-SA-2010-023 - Vuln in NEON Exploit Pack. Permanent XSS+XSRF.
TEHTRI-SA-2010-022 - Vuln in NEON Exploit Pack. SQL Injection.
TEHTRI-SA-2010-021 - Vuln in YES Exploit Pack. Remote File Disclosure.
TEHTRI-SA-2010-020 - Vuln in YES Exploit Pack. Permanent XSS+XSRF admin.
TEHTRI-SA-2010-019 - Vuln in YES Exploit Pack. Remote SQL Injection.
TEHTRI-SA-2010-018 - Vuln in LuckySploit Expl Pack. Remote control.
TEHTRI-SA-2010-017 - Vuln in Liberty Exploit Pack. Permanent XSS+XSRF.
TEHTRI-SA-2010-016 - Vuln in Liberty Exploit Pack. SQL Injection.
TEHTRI-SA-2010-015 - Vuln in Eleonore Exploit Pack. Another SQL Inject.
TEHTRI-SA-2010-014 - Vuln in Eleonore Exploit Pack. XSRF in admin panel.
TEHTRI-SA-2010-013 - Vuln in Eleonore Exploit Pack. Permanent XSS.
service. Sending SIGSTOP may behave likewise, only moreso: the creator
will still exist, so the lock files may not be considered stale,
fcntl() locks will still be held, etc.
There's more risk if a program uses signals (e.g. SIGUSR1) for remote
control.
If there wasn't *any* risk, there wouldn't be any restrictions on
sending signals to privileged processes.
> > > Well written program must not depend on anything that is out of
|
