Security flaw in Mediahouse Statistics Server v4.28 & 5.01. ----------------------------------------------------------- My colleague found a security flaw in Mediahouse Statistics Server a couple of weeks ago. I contacted Mediahouse about this issue the 8:th September. They are aware of the problem but they have still not published a fix. I submit this information to inform current users of the product that it is not safe. Hopefully Mediahouse will publish a fix soon.. A more detailed description of the flaw can be found at http://w1.855.telia.com/~u85513179/index.html Vulnerable versions: -------------------- Mediahouse Statistics Server 4.28, 5.0. (Probably the previous versions too!) (The Statistics Server runs on Windows NT 4.0) Description: ------------ There is an "unchecked buffer" in the webinterface for remote administration of Statistics Server. For example: Mediahouses own live demo page at http://stats.mhstats.com/_938425738_/ The "server ID" login page can be used for an "buffer overflow" attack. The input field is only validated on the client side (webbrowser). This is easy to circumvent. The second flaw is the configuration file (ss.cfg) which contains the administrator password in clear-text! Exploit: -------- Use your personal "favourite tool" to send >3773 characters into the Statistics Server and it will generate a "Dr Watson"! There is a "brain.ini" file for the Retina security scanner on my description site. If you have plans to write an exploit you might find this useful: Statistics Server v 4.28 will "jump" to the address "65656565" if you send a couple of 'a's.. Workarounds: ------------ 1. Restrict access to Statistics Server in your firewall. 2. Run the Statistics Server service under a user account with lower privileges. 3. Set proper ACLs on the configuration file: "C:\StatisticsServer\ss.cfg". 4. Don't open up your firewall until a fix is released!! :o) References: ----------- http://www.mediahouse.com http://w1.855.telia.com/~u85513179/index.html Credit: ------- This vulnerability was discovered by a colleague of mine. He was investigating the security on my behalf. He whishes to stay anonymous. I'll forward any messages.. Best regards Per Bergehed ------------------------------- Per Bergehed, Telia IP-Services mailto:Per.Bergehedat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:15 PDT