OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisrngssoftware.com)
Date: Tue Apr 16 2002 - 09:09:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Web+ Cookie Buffer Overflow
    Systems Affected: IIS and Web+ 4.6/5.0 on Windows NT/2000
    Severity: High Risk
    Vendor URL: http://www.talentsoft.com
    Author: David Litchfield (davidngssoftware.com)
    Date: 17th April 2002
    Advisory number: #NISR17042002B
    Advisory URL: http://www.ngssoftware.com/advisories/webplus3.txt

    Issue: Attackers can run arbitrary code as SYSTEM on the web server.

    Description
    ***********
    Talentsoft's Web+ v5.0 is a powerful and comprehensive development
    environment for use in creating web-based client/server applications.

    Details
    ********
    By requesting a WML file from a web server and supplying an overly long
    cookie, an internal buffer is overflowed, overwriting a saved return address
    on the stack. On procedure return control over the web server process'
    execution can be gained. If the server is running IIS 4 and using the Web+
    ISAPI filter, then inetinfo.exe is the process captured. As this runs as
    SYSTEM, any code supplied by an attacker will run uninhibited. If IIS 5.0
    then the process is dllhost.exe which runs in the context of the IWAM_*
    account. As this has limited privileges the risk is reduced. If the Web+
    environment is set up using the webplus CGI executable, webplus.exe, on
    either server, then, again, the risk is reduced.

    Fix Information
    **************
    Talentsoft have created a patch for this problem. Please see
    http://www.talentsoft.com/download/download.en.wml for more details.
    NGSSoftware urges all Web+ customers to apply this as soon as is possible. A
    check for this issue has been added Typhon II, NGSSoftware's vulnerability
    assessment scanner, of which more information is available from the NGSSite
    http://www.ngssoftware.com/.

    Further Information
    *******************
    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    http://www.ngssoftware.com/papers/ntbufferoverflow.html
    http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    http://www.ngssoftware.com/papers/unicodebo.pdf