Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: NGSSoftware Insight Security Research (nisrngssoftware.com)
Date: Tue Apr 16 2002 - 09:09:04 CDT
NGSSoftware Insight Security Research Advisory
Name: Web+ Cookie Buffer Overflow
Systems Affected: IIS and Web+ 4.6/5.0 on Windows NT/2000
Severity: High Risk
Vendor URL: http://www.talentsoft.com
Author: David Litchfield (davidngssoftware.com)
Date: 17th April 2002
Advisory number: #NISR17042002B
Advisory URL: http://www.ngssoftware.com/advisories/webplus3.txt
Issue: Attackers can run arbitrary code as SYSTEM on the web server.
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.
By requesting a WML file from a web server and supplying an overly long
cookie, an internal buffer is overflowed, overwriting a saved return address
on the stack. On procedure return control over the web server process'
execution can be gained. If the server is running IIS 4 and using the Web+
ISAPI filter, then inetinfo.exe is the process captured. As this runs as
SYSTEM, any code supplied by an attacker will run uninhibited. If IIS 5.0
then the process is dllhost.exe which runs in the context of the IWAM_*
account. As this has limited privileges the risk is reduced. If the Web+
environment is set up using the webplus CGI executable, webplus.exe, on
either server, then, again, the risk is reduced.
Talentsoft have created a patch for this problem. Please see
http://www.talentsoft.com/download/download.en.wml for more details.
NGSSoftware urges all Web+ customers to apply this as soon as is possible. A
check for this issue has been added Typhon II, NGSSoftware's vulnerability
assessment scanner, of which more information is available from the NGSSite
For further information about the scope and effects of buffer overflows,