Security flaw in Mediahouse Statistics Server v4.28 & 5.01

From: per_bergehedat_private
Date: Thu Sep 30 1999 - 14:21:45 PDT

Next message: Hugo.van.der.Kooijat_private: "Re: FireWall-1 weakness"

Previous message: Jeff Long: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Security flaw in Mediahouse Statistics Server v4.28 & 5.01.
-----------------------------------------------------------

My colleague found a security flaw in Mediahouse Statistics 
Server a couple of weeks ago. I contacted Mediahouse about 
this issue the 8:th September. They are aware of the 
problem but they have still not published a fix. 
I submit this information to inform current users of
the product that it is not safe. Hopefully Mediahouse 
will publish a fix soon..

A more detailed description of the flaw can be found at
http://w1.855.telia.com/~u85513179/index.html

Vulnerable versions: 
--------------------

Mediahouse Statistics Server 4.28, 5.0.
(Probably the previous versions too!)

(The Statistics Server runs on Windows NT 4.0)

Description:
------------

There is an "unchecked buffer" in the webinterface for 
remote 
administration of Statistics Server. For example: 
Mediahouses 
own live demo page at http://stats.mhstats.com/_938425738_/

The "server ID" login page can be used for an "buffer 
overflow" attack. The input field is only validated on 
the client side (webbrowser). This is easy to circumvent.

The second flaw is the configuration file (ss.cfg) which 
contains the administrator password in clear-text!

Exploit:
--------

Use your personal "favourite tool" to send >3773 
characters into the Statistics Server and it will
generate a "Dr Watson"! 

There is a "brain.ini" file for the Retina security 
scanner on my description site.

If you have plans to write an exploit you might find
this useful: Statistics Server v 4.28 will "jump" to 
the address "65656565" if you send a couple of 'a's..

Workarounds:
------------

1. Restrict access to Statistics Server in your firewall.

2. Run the Statistics Server service under a user account
   with lower privileges.

3. Set proper ACLs on the configuration file:
   "C:\StatisticsServer\ss.cfg".

4. Don't open up your firewall until a fix is released!! :o)

References:
-----------

http://www.mediahouse.com
http://w1.855.telia.com/~u85513179/index.html

Credit:
-------

This vulnerability was discovered by a colleague of mine.
He was investigating the security on my behalf. He whishes
to stay anonymous. I'll forward any messages..



Best regards

Per Bergehed

-------------------------------
Per Bergehed, Telia IP-Services
mailto:Per.Bergehedat_private

Next message: Hugo.van.der.Kooijat_private: "Re: FireWall-1 weakness"
Previous message: Jeff Long: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:15 PDT