OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: DST2K0019: Multiple BufferOverruns in WebBBS v1.17
From: Security Team (securityteamDELPHISPLC.COM)
Date: Sun Jul 02 2000 - 10:07:28 CDT


============================================================================
                            Delphis Consulting Plc
============================================================================

                           Security Team Advisories
                               [30/06/2000]

                            securityteamdelphisplc.com
                  [http://www.delphisplc.com/thinking/whitepapers/]
        
============================================================================
Adv : DST2K0019
Title : Multiple BufferOverruns in WebBBS v1.17
Author : DCIST (securityteamdelphisplc.com)
O/S : Microsoft Windows NT v4.0 Workstation (SP5)
Product : WebBBS v1.17
Date : 30/06/2000

I. Description

II. Solution

III. Disclaimer

============================================================================

I. Description
============================================================================

Vendor URL: http://www.webbbs.org/

WebBBS fixed a number of bugs which were referenced in DST2K0018, however
on release of the new version (19/06/2000) DCIST audited the new version
and indeed the issues we released were resolved. How ever Delphis Consulting

Internet Security Team (DCIST) discovered the following new vulnerabilities
in WebBBS under Windows NT.

Severity: med

By using a overly long string on the search file system option page it is
possible to cause a Denial of Service. The reason this is a Denial of
Service
rather than a BufferOverrun (which indeed it does cause) is that the EIP is
seemingly random when overwrriten (i.e. not byte perfect).

Severity: high

By using the New user sign up form shipped and installed as standard by
WebBBS is possible to cause a BufferOverRun in WebBBS. This is done be
connecting to port 80 (WebBBS) which the service resides on by default and
sending a username. The username has to be a length of 892 + EIP (4 bytes
making a total of 896 bytes). This will cause the above application to
BufferOverRun over writing EIP. This would allow an attacker to execute
arbitrary code.

II. Solution
============================================================================

Vendor Status: Informed

Currently there is no vendor patch available but the following are
preventative
measures Delphis Consulting Internet Security Team would advise
users running this service to implement.

o Remove new user sign up
o Remove filesystem search

We have had e-mail confirmation for the WebBBS support team that this
will be dealt with once a code audit have been completed to erase any
other areas we have not highlighted to them which may also be effected.

III. Disclaimer
============================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
============================================================================