cbcvebase.
CVE-2019-9017
published 2019-05-02

CVE-2019-9017: DWRCC in SolarWinds DameWare Mini Remote Control 10.0 x64 has a Buffer Overflow associated with the size field for the machine name.

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
20.59%
97.2th percentile
DWRCC in SolarWinds DameWare Mini Remote Control 10.0 x64 has a Buffer Overflow associated with the size field for the machine name.

Affected

1 ranges
VendorProductVersion rangeFixed in
solarwindsdameware_mini_remote_control

Detection & IOCsextracted from sources · hover to see the quote

processDWRCC.exe
pathC:\program files\SolarWinds\DameWare Mini Remote Control 10.0 x64 #1\DWRCC.exe
commandDWRCC.exe -c: -h: -m:<300*A>
  • Monitor execution of DWRCC.exe with a -m: argument containing an anomalously long string (300+ characters) as the machine name parameter, which is the overflow vector.
  • The PoC constructs a 300-byte buffer of repeated 'A' characters passed to the -m: (machine host name) parameter; detect command-line invocations of DWRCC.exe where -m: is followed by an unusually large value.
  • The exploit is delivered via VBScript (WScript.Shell / CreateObject) launching DWRCC.exe; monitor for scripting engines (wscript.exe/cscript.exe) spawning DWRCC.exe as a child process.
  • ·Vulnerability is specific to the x64 build of DameWare Mini Remote Control version 10.0; other versions or architectures are not confirmed affected.
  • ·The PoC was tested only on Windows 7 SP1 x64; exploit reliability on other Windows versions is unconfirmed.
  • ·The overflow is triggered via the command-line -m: (machine name) parameter, not over the network; exploitation requires local or scripted execution of DWRCC.exe.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.