OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: Mon Aug 19 2002 - 10:04:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Multiple Remote Buffer Overruns TOMAHAWKS' STEELARROW
    Systems Affected: WinNT, Win2K (Not tested on other platforms)
    Severity: High Risk
    Category: Remote System Buffer Overrun
    Vendor URL: http://www.tomahawk.com
    Author: Mark Litchfield (markngssoftware.com)
    Date: 19th August 2002
    Advisory number: #NISR19082002B

    Description
    ***********

    SteelArrow is an easy to use Web Application Server offering the latest in
    Internet connectivity and dynamic content development. SteelArrow offers
    developers full web application development functionality and fully tested
    run time reliability. Steelarrow operates as an extension (on WinNT/2K) to
    Microsoft IIS, Apache and Netscape Enterprise servers.

    Details
    *******

    Buffer Overrun 1)

    SteelArrow tracks user sessions with cookies in the form of
    UserIdent=XXXXXXXXXXXX. By supplying an overly long vlaue in the Cookie
    HTTP header a buffer overflow occurs in the Steelarrow Service
    (Steelarrow.exe) overwriting a saved return address on the stack.
    Steelarrow, by default on Win2k/WinNT is installed as a system service. Any
    arbitary code executed using this vulnerability will run with system
    privileges.

    Buffer Overrun 2)

    By making an overly long request for a .aro (extension used by Steelarrow)
    file, an access violation occurs in DLLHOST.EXE (Steelarrow.dll), again
    overwriting a saved return address on the stack. Any code will execute in
    the security context of the IWAM account.

    Buffer Overrun 3)

    It's that Chunked Transfer-Encoding issue again. By making a request for a
    .aro file an including a specific Transfer-Encoding: Chunked request within
    the HTTP request header fields and access violation occurs in DLLHOST.EXE
    due to a heap overflow. Again any arbitary code execution will run in the
    context of the IWAM account.

    Fix Information
    ***************
    NGSSoftware alerted the vendor to these buffer overflow issues on the 1st
    2nd and 3rd of April 2002. A fix is available from
    http://www.steelarrow.com

    A check for these issues has been added to Typhon II, of which more
    information is available from the
    NGSSoftware website, http://www.ngssoftware.com.

    Further Information
    *******************

    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    http://www.ngssoftware.com/papers/ntbufferoverflow.html
    http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    http://www.ngssoftware.com/papers/unicodebo.pdf