Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q3

Bugtraq Archives: Security flaw in Mediahouse Statistics Server

Security flaw in Mediahouse Statistics Server v4.28 & 5.01

per_bergehedHOTMAIL.COM
Thu, 30 Sep 1999 21:21:45 -0000

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Alfred Huger: "Re: Historical Bugtraq Question"
Previous message: Charlie Giannetto: "Re: Sun's TTSESSION Vulnerability"

Security flaw in Mediahouse Statistics Server v4.28 & 5.01.
-----------------------------------------------------------

My colleague found a security flaw in Mediahouse Statistics
Server a couple of weeks ago. I contacted Mediahouse about
this issue the 8:th September. They are aware of the
problem but they have still not published a fix.
I submit this information to inform current users of
the product that it is not safe. Hopefully Mediahouse
will publish a fix soon..

A more detailed description of the flaw can be found at
http://w1.855.telia.com/~u85513179/index.html

Vulnerable versions:
--------------------

Mediahouse Statistics Server 4.28, 5.0.
(Probably the previous versions too!)

(The Statistics Server runs on Windows NT 4.0)

Description:
------------

There is an "unchecked buffer" in the webinterface for
remote
administration of Statistics Server. For example:
Mediahouses
own live demo page at http://stats.mhstats.com/_938425738_/

The "server ID" login page can be used for an "buffer
overflow" attack. The input field is only validated on
the client side (webbrowser). This is easy to circumvent.

The second flaw is the configuration file (ss.cfg) which
contains the administrator password in clear-text!

Exploit:
--------

Use your personal "favourite tool" to send >3773
characters into the Statistics Server and it will
generate a "Dr Watson"!

There is a "brain.ini" file for the Retina security
scanner on my description site.

If you have plans to write an exploit you might find
this useful: Statistics Server v 4.28 will "jump" to
the address "65656565" if you send a couple of 'a's..

Workarounds:
------------

1. Restrict access to Statistics Server in your firewall.

2. Run the Statistics Server service under a user account
with lower privileges.

3. Set proper ACLs on the configuration file:
"C:\StatisticsServer\ss.cfg".

4. Don't open up your firewall until a fix is released!! :o)

References:
-----------

http://www.mediahouse.com
http://w1.855.telia.com/~u85513179/index.html

Credit:
-------

This vulnerability was discovered by a colleague of mine.
He was investigating the security on my behalf. He whishes
to stay anonymous. I'll forward any messages..

Best regards

Per Bergehed

-------------------------------
Per Bergehed, Telia IP-Services
mailto:Per.Bergehedhotmail.com

Next message: Alfred Huger: "Re: Historical Bugtraq Question"
Previous message: Charlie Giannetto: "Re: Sun's TTSESSION Vulnerability"

This archive was generated by hypermail 2.0b3 on Fri Oct 01 1999 - 13:35:02 CDT