Netop Remote Control dws File Handling Overflow - Nessus

High   Plugin ID: 58769

This page contains detailed information about the Netop Remote Control dws File Handling Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 58769
Name: Netop Remote Control dws File Handling Overflow
Filename: netop_remote_control_guest_dws_bof.nasl
Vulnerability Published: 2011-04-28
This Plugin Published: 2012-04-17
Last Modification Time: 2018-11-15
Plugin Version: 1.6
Plugin Type: local
Plugin Family: Windows
Dependencies: netop_remote_control_guest_installed.nasl
Required KB Items [?]: SMB/Netop_Remote_Control_Guest/Installed

Vulnerability Information

Severity: High
Vulnerability Published: 2011-04-28
Patch Published: 2011-03-30
CVE [?]: N/A
CPE [?]: cpe:/a:netop:remote_control

Synopsis

There is an application installed on the remote host that is affected by a buffer overflow vulnerability.

Description

Netop Remote Control Guest is installed on the remote Windows host and is less than version 10.0 build 2011087. As such, it reportedly has a flaw in handling '.dws' script files that can be utilized to trigger a buffer overflow.

By tricking the user into opening a specially crafted '.dws' file, a remote attacker may be able to execute arbitrary code subject to the user's privileges.

Solution

Upgrade to Netop Remote Control Guest 10.0 build 2011087 or greater.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Netop Remote Control dws File Handling Overflow vulnerability:

  1. Metasploit: exploit/windows/fileformat/netop
    [NetOp Remote Control Client 9.5 Buffer Overflow]
  2. Exploit-DB: exploits/windows/local/17223.pl
    [EDB-17223: NetOp Remote Control 8.0/9.1/9.2/9.5 - Local Buffer Overflow]
  3. Exploit-DB: exploits/windows/remote/18697.rb
    [EDB-18697: NetOp Remote Control Client 9.5 - Remote Buffer Overflow (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:ND
CVSS Base Score:9.3 (High)
Impact Subscore:10.0
Exploitability Subscore:8.6
CVSS Temporal Score:8.8 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.8 (High)

Go back to menu.

Plugin Source

This is the netop_remote_control_guest_dws_bof.nasl nessus plugin source code. This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(58769);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_bugtraq_id(47631);
  script_xref(name:"EDB-ID", value:"17223");
  script_xref(name:"EDB-ID", value:"18697");

  script_name(english:"Netop Remote Control dws File Handling Overflow");
  script_summary(english:"Checks version of Netop Remote Control Guest install");

  script_set_attribute(
    attribute:"synopsis",
    value:
"There is an application installed on the remote host that is affected
by a buffer overflow vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Netop Remote Control Guest is installed on the remote Windows host
and is less than version 10.0 build 2011087.  As such, it reportedly
has a flaw in handling '.dws' script files that can be utilized to
trigger a buffer overflow. 

By tricking the user into opening a specially crafted '.dws' file, a
remote attacker may be able to execute arbitrary code subject to the
user's privileges."
  );
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ba257e44");
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to Netop Remote Control Guest 10.0 build 2011087 or greater."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'NetOp Remote Control Client 9.5 Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/03/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:netop:remote_control");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("netop_remote_control_guest_installed.nasl");
  script_require_keys("SMB/Netop_Remote_Control_Guest/Installed");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");

kb_base = "SMB/Netop_Remote_Control_Guest/";
port = get_kb_item("SMB/transport");

get_kb_item_or_exit(kb_base + "Installed");

version = get_kb_item_or_exit(kb_base + "Version");

if (ver_compare(ver:version, fix:'10.0.2011.87', strict:FALSE) == -1)
{
  if (report_verbosity > 0) 
  {
    version_ui = get_kb_item_or_exit(kb_base + "Version_UI");
    path = get_kb_item_or_exit(kb_base + "Path");
    report += '\n  Path              : '+path+
              '\n  Installed version : '+version_ui+ ' (' + version + ')' +
              '\n  Fixed version     : 10.0.11087 (10.0.2011.87)\n';
    security_hole(port:port, extra:report); 
  }
  else security_hole(port);
} 
else 
  audit(AUDIT_INST_VER_NOT_VULN, "Netop Remote Control Guest", version);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/netop_remote_control_guest_dws_bof.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\netop_remote_control_guest_dws_bof.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/netop_remote_control_guest_dws_bof.nasl

Go back to menu.

How to Run

Here is how to run the Netop Remote Control dws File Handling Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Netop Remote Control dws File Handling Overflow plugin ID 58769.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl netop_remote_control_guest_dws_bof.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a netop_remote_control_guest_dws_bof.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - netop_remote_control_guest_dws_bof.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state netop_remote_control_guest_dws_bof.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 54644 - VisiWave Site Survey Report VWR File Handling Overflow
  • 54922 - IBM Lotus Notes Attachment Handling Multiple Buffer Overflows
  • 55471 - Novell File Reporter Engine RECORD Element Tag Parsing Overflow (credentialed check)
  • 56682 - Novell iPrint Client < 5.72 nipplib.dll GetDriverSettings Function Buffer Overflow
  • 57062 - Trend Micro Control Manager CmdProcessor.exe Remote Buffer Overflow
  • 58005 - Firefox 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow
  • 58006 - Firefox 3.6.x < 3.6.27 'png_decompress_chunk' Integer Overflow
  • 58007 - Mozilla Thunderbird 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow
  • 58008 - Mozilla Thunderbird 3.1.x < 3.1.19 'png_decompress_chunk' Integer Overflow
  • 58009 - SeaMonkey < 2.7.2 'png_decompress_chunk' Integer Overflow
  • 58386 - XnView < 1.98.6 Multiple Buffer Overflow Vulnerabilities
  • 58389 - IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile Method Boundary Error Remote Overflow
  • 58482 - Cisco Linksys PlayerPT ActiveX SetSource() Method base64string Argument Parsing Remote Overflow
  • 58483 - Dell Webcam CrazyTalk ActiveX Remote Overflow
  • 58591 - D-Link DCS-5605 Network Surveillance DcsCliCtrl.dll ActiveX Control SelectDirectory() Method Buffer Overflow
  • 58597 - TRENDnet SecurView UltraMJCam ActiveX Control OpenFileDlg Method WideCharToMultiByte() Call Remote Overflow
  • 58649 - Bitsmith Software Personal Knowbase knowbase.exe FileOpen Dialogue Local Overflow
  • 58989 - Csound getnum() getnum Function Multiple Buffer Overflows
  • 59108 - Mobipocket Reader CHM File Handling Remote Overflow
  • 59606 - XnView < 1.99.0 Multiple Buffer Overflow Vulnerabilities
  • 59685 - IBM Lotus iNotes Upload Module ActiveX Control Attachment_Times() Method Buffer Overflow
  • 59846 - IrfanView JPEG-2000 Plugin Remote Stack-based Buffer Overflow
  • 59847 - IrfanView Formats Plugin TTF File Buffer Overflow Vulnerability
  • 59848 - IrfanView FlashPix Plugin Heap Based Buffer Overflow
  • 59849 - IrfanView Formats Plugin ECW Plugin File Handling Buffer Overflow Vulnerability
  • 60036 - IrfanView DjVu Plugin DjVu Image File Decompression Overflow
  • 60037 - IrfanView JLS Plugin JLS Compressed Image File Handling Overflow
  • 60107 - Cisco Linksys PlayerPT ActiveX Control SetSource() Multiple Overflows
  • 60109 - Sony VAIO Wireless Manager ActiveX Control WifiMan.dll Multiple Buffer Overflows
  • 60111 - FlashFXP < 4.2.0.1730 ListIndex TListBox Handling Remote Overflow
  • 63059 - IrfanView < 4.35 Multiple Heap-Based Buffer Overflows
  • 63280 - WibuKey Runtime ActiveX Control DisplayMessageDialog Method String Parsing Overflow
  • 63303 - IrfanView ImXCF.dll XCF File Handling Overflow
  • 63417 - NVIDIA Display Driver Service Remote Stack Buffer Overflow (credentialed check)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file netop_remote_control_guest_dws_bof.nasl version 1.6. For more plugins, visit the Nessus Plugin Library.

Go back to menu.