Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: NGSSoftware Insight Security Research (nisrngssoftware.com)
Date: Tue Apr 16 2002 - 09:10:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: WebTrends Reporting Center 4.0d
    Systems Affected: WinNT, Win2K, XP
    Severity: High Risk
    Category: Remote System Buffer Overrun
    Vendor URL: http://www.webtrends.com
    Author: Mark Litchfield (markngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/wtr.txt
    Date: 17th April 2002
    Advisory number: #NISR17042002C

    Issue: Attackers can run arbitrary code, remotely, as SYSTEM.

    WebTrends Reporting Center provides fast and comprehensive analysis of web
    site activity to multiple decision-makers throughout an organization via a
    browser-based interface. WebTrends Reporting Center is, according to their
    own website, NetIQ's flagship web analytics reporting product, recently
    receiving an Editor's Choice Award from Network Computing Magazine (Feb 6,

    Buffer Overrun: In order for an attacker to exploit this vulnerability
    requires they must first undergo user authentication at
    http://targetmachine:1099(default listening port)/remote_login.pl. However,
    Webtrends Reporting Server allows anonymous logins for reports that are made
    available for public viewing. After a successful login, making a GET
    request to http://targetmachine:1099/reports/(Long Char String) will cause
    an access violation occurs in WTRS_UI.EXE (WTX_REMOTE.DLL) overwriting the
    saved return address on the stack. The Reporting Server process,
    WTRS_UI.EXE, is by default started as a system service along with WTRS.EXE,
    therefore any arbitary code would execute with system privileges.

    Path Disclosure - By making a simple GET request for
    http://targetmachine/get_od_toc.pl?Profile= (no authentication required) an
    error message is returned - Unable to open content file

    Fix Information
    NGSSoftware alerted Webtrends to the buffer overrun issue on 31st March 2002
    and future versions will be fixed. There is still some question as to
    whether a patch will be produced for earlier versions. In the meantime
    NGSSoftware recommend preventing anonymous access to the Reports server.
    NGSSoftware recommend that where possible, the service be run as a low
    privileged account as opposed to starting it as a system service.

    A check for these issues have been added to Typhon II, NGSSoftware's
    vulnerability assessment scanner, of which more information is available
    from the NGSSite : http://www.ngssoftware.com/.

    Further Information
    For further information about the scope and effects of buffer overflows,
    please see