Multiple vulnerabilities in WinShadow

-------------------------------------





Affected Systems: OmniCom WinShadow



version: 2.0 (and possibly earlier versions)



Vendor: OmniCom Technologies - http://www.omnicomtech.com



Issue: 1. Buffer overflow in client handling hostnames in host files

       2. DoS against server



Released: 27 September 2003





Introduction:

=============

"winshdow: Create a secure remote control session on the Internet or private WAN/LAN network allowing easy access to remote files and applications. Increase productivity by allowing secure remote access for mobile users and system administrators."



- Vendors Description

   [ http://www.omnicomtech.com ]





Details:

========

Multiple vulnerabilities has been identified in winShadow version 2.0, which allows malicious users to execute arbitrary code on the master client and remotely crash the server. 



Buffer Overflow:

----------------

winShadow saves hostnames in host files (*.osh), the process handing the hostname parameter read from the file will cause a buffer overflow if approximately 250 bytes are passed after this parameter.



Denial of Service:

------------------

By connecting to the server and issuing a long username or password, the server will crash, refusing any further connections until the server is closed by logging off or rebooting the system, this may be because it a service that runs with system privileges.





Vendor status:

==============

The vendor has been informed.





Exploit:

========

Can be downloaded from http://www.elitehaven.net/winshadow.zip

The exploit was written by Peter Winter-Smith.





Discovered by/Credit:

=====================

Bahaa Naamneh

b_naamneh@hotmail.com

http://www.bsecurity.tk