The next step is to overwrite the SEH and next SEH addresses with the address of the instruction found above and the op codes for a small jump over that address. The executable was compiled without common protections, including ASLR which would have made hardcoding an address in the shellcode infeasible. As the DWRCC.EXE (main executable) is not being rebased on each execution, the instruction set found at address “0x00439D7D” was chosen. The buffer length before the overflow was identified using Metasploit’s helpful “pattern_create” and “pattern_offset” utilities, taking care to observe the bytes surrounding the overflow as the null bytes have to be discounted. From here, the next step is to determine how many bytes are required before the overwrite happens and to find a suitable set of “POP, POP, RET” instructions. This is because the input buffer is processed as wide characters, with UTF-16 encoding. Interestingly though, the A’s aren’t displayed how they were entered and have been separated by null bytes (0x00). This is quickly visible by looking at the SEH chain in the debugger.įollowing this process through, eventually we can see our A’s (0x41) being placed into EIP due to the corrupted SEH chain. The input is being written to the stack and has overflown the SEH addresses.
Looking at this process in a debugger, it becomes clear what is happening. Simply using a large number of A’s (over 2000) or any other character would result in the application terminating unexpectedly. Sometimes it may be necessary to fuzz input fields and parameters, an automated process of entering varying amounts of different characters in sequence in an attempt to identify unexpected behaviour, however this was not the case in this instance. However, for the proof of concept, only one of these fields was used the “Host” field under the SOCKS Proxy Settings.Īs a simple test for this vulnerability, a large number of characters can be entered into the field to observe the results. The majority of these fields lack appropriate input sanitization, leading to crashes when entering a large amount of input (more than 3,000 characters).
#SOLARWINDS DAMEWARE WINDOWS#
One of the windows (AMT Settings) within in the GUI has several input fields.
However, at the time of writing, this version doesn’t appear to be available from the customer portal and if you are affected by this issue, it is recommended that you request it directly from customer support. Solarwinds have been contacted about this issue who have acknowledged it and have released a version which reportedly contains the fix for the vulnerability, version 12.1. This vulnerability is due to insecure handling of a user input buffer which ultimately allows for overwriting Structured Exception Handler (SEH) addresses and the subsequent hijacking of execution flow.īelow is a video demonstration of exploitation for proof of concept of this vulnerability. Having recently completed my OSCE and looking to use some of the skills I picked up there in the real world, I found a local buffer overflow vulnerability in the latest version (at the time of writing) for Dameware MRC (12.0.5) and it has been assigned CVE-2018-12897. You can often find it among the plethora of toolkits used by system administrators managing the IT infrastructure in organisations. Dameware Mini Remote Control (MRC) is a remote administration utility allowing remote access to end user devices for a variety of purposes.