Something we failed to mention, which is rather important, is that only the NT version of Ultraseek is affected. Signed, Marc eEye Digital Security Team http://www.eEye.com | -----Original Message----- | From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of | luciano | Sent: Thursday, December 16, 1999 12:49 AM | To: BUGTRAQat_private | Subject: Infoseek Ultraseek Remote Buffer Overflow | | | USSR & eEye DS Present: | | Infoseek Ultraseek 3.1 Remote Buffer Overflow | | USSR Advisory Code: 20 | eEye DS Advisory Code: AD19991215 | | Release Date: | December 15, 1999 | | Systems Affected: | Infoseek Ultraseek 2.1 to 3.1 and possibly others. | | The Opener: | T1 Internet Connection: $1,000/month | Dell PowerEdge 4350 Server: $4,307 | 10k Doc. license for Ultraseek 3.1: $4,995 | Brand new office in silicon valley: $10,000/month | | The look on your CEO's face when you get hacked: Priceless. | | About The Software: | Ultraseek is Infoseek Corporation's search engine software. The power and | flexibility of Ultraseek allow it to be used by a variety of business's. | >From the small mom and pop shops to companies even as large as Infoseek | themselves. You've heard of go.com by now, haven't you? | | Description: | | This advisory, although a rather nasty one, will be pretty small. | We are not | going to get into the mechanics of buffer overflows since the subject has | been talked about a lot. If you would like to learn more about what a | buffer overflow is we suggest the following links: | http://www.l0pht.com/advisories/bufero.html | http://arden.iss.net/~msells/docs/smashstack.txt | http://www.cultdeadcow.com/cDc_files/cDc-351/ | http://www.beavuh.org/dox/win32_oflow.txt | | By default the Ultraseek search engine listens on port 8765 and provides a | HTTP interface to allow internet/intranet users to search a server for | documents pertaining to their search keywords. | | To identify a vulnerable server you would do the following: | C:\>telnet www.example.com 8765 | send-> HEAD / HTTP/1.0 | | recv-> HTTP/1.0 200 OK | recv-> Server: Ultraseek/3.1 Python/1.5.1 | recv-> Date: Thu, XX Dec 1999 23:59:42 GMT | recv-> Content-type: text/html | recv-> Content-length: 0 | | Ultraseek 3.1 is the current version of Ultraseek as of the | writing of this | advisory. We have tested versions as old as 2.1. So while we are not | positive, we are pretty sure every version of Ultraseek prior to 3.1 is | vulnerable. | | The overflow occurs in the HTTP Get command. To DoS (Denial of | Service) the | server you would do the following: | C:\>telnet www.example.com 8765 | GET /[overflow]/ HTTP/1.0 | <enter> | <enter> | | At this point one of the two pyseekd.exe (Ultraseek Server Process) will | drop and reinitialize. Since it is a service you will never get an on | screen memory error. Also you will not even really notice the process drop | and reload but if you look closely when you DoS the server one of the two | pyseekd.exe process's will now have a new PID. | | This is just like any typical buffer overflow and it is exploitable. To | download a proof of concept exploit, go to: | http://www.ussrback.com/ | http://www.eeye.com/ | Note: The example will just create a file called ussreeye.txt in whatever | the current root is. This exploit has only been tested against | Ultraseek 2.1 | for NT Service Pack 5 and NT Service Pack 6. Please do not send us eMail | saying you could not get it to work or things of that nature. If you can't | fix it yourself then most likely you do not need to be using it | in the first | place. | | What gets logged you ask? | Well in the application event log you will see a Warning with the | following | information: "Ultraseek Server: Warning: restarted 3.1.4". | In the Ultraseek http access logs (C:\Program | Files\Infoseek\UltraseekServer\data\logs) nothing gets logged. | So when all is said and done unless you have a router log to | match the event | log time with... your left with no way of knowing who did the dirty deed. | | Once again a web service, just like IIS, fails to log a command before it | processes. Any service that takes commands needs to log the command first | and then process it. That way unless there is an overflow in the logging | process we will always know what IP performed the attack. | | This advisory was made possible by a joint effort of USSR (Underground | Security Systems Research) and eEye Digital Security. | | Do you do the w00w00? | This advisory also acts as part of w00giving. This is another contribution | to w00giving for all you w00nderful people out there. You do know what | w00giving is don't you? http://www.w00w00.org/advisories.html | | Vendor Status: | We would like to thank Infoseek for the wonderful way they handled this | advisory. The process went rather perfect, if there is such a thing in the | security world. | | Fix: | http://software.infoseek.com/products/ultraseek/upgrade_nt.htm | ftp://ftp.infoseek.com/pub/software/ultraseek-3.1.5.exe | | Related Links: | | eEye Digital Security | http://www.eEye.ccom | | Retina - The Network Security Scanner | http://www.eEye.com/retina/ | | Underground Security Systems Research | http://www.ussrback.com | | CrunchSp | http://www.ussrback.com/products.html | | Greetings: | Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and | Wiretrip. | | Copyright (c) 1998-1999 eEye Digital Security | Permission is hereby granted for the redistribution of this alert | electronically. It is not to be edited in any way without express consent | of eEye. If you wish to reprint the whole or any part of this | alert in any | other medium excluding electronic medium, please e-mail | alertat_private for | permission. | | Disclaimer | The information within this paper may change without notice. Use of this | information constitutes acceptance for use in an AS IS | condition. There are | NO warranties with regard to this information. In no event shall | the author | be liable for any damages whatsoever arising out of or in connection with | the use or spread of this information. Any use of this information is at | the user's own risk. | | Feedback | Please send suggestions, updates, and comments to: | | eEye Digital Security | mail:infoat_private | http://www.eEye.com | | USSR Labs | mail:labsat_private | http://www.ussrback.com |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:34 PDT