Given the privilege and accessibility of these pieces of software, they are often a prime target by adversaries. In this post, we are going to detail a vulnerability (CVE-2016-2345) found in one such software package called Dameware Mini Remote Control, maintained by Solarwinds.

We found this vulnerability while reviewing the message parsing functions of the DWRCS service that is installed on all managed clients. The vulnerability is not readily identifiable because of the way string constants are loaded by the application using LoadString. Pseudo-code of the vulnerable code is listed below.

Perusing the resource table stored in the executable, we found the string for id 0x11 to be the following: The desktop user disconnected the session via the MRC Tray menu UserID: %s The vulnerability is the result of an overflow of the dst_buf buffer of size 0x210. What makes this vulnerability particularly interesting is the way the stack frame is setup. The format string buffer is located just after the destination buffer for the wsprintf. This means when dst_buf is overflowed, we can control the format string and thus add format identifiers at will. This bug is not only a buffer overflow but also can be used as a format string vulnerability to leak memory addresses.

At this point we began setting up a proof of concept to try and gain control of execution using this vulnerability. The first thing we typically do at this stage, is to identify what memory protections have been compiled into the binary. Analyzing the stack dump, we see that the binary uses stack cookies to protect against overflowing the stack return pointer. Using Corelan’s mona.py script, we see that no other memory protections are being employed.