Netwin Webnews Buffer Overflow Vulnerability (#NISR18022002)

From: NGSSoftware Insight Security Research (nisrat_private)
Date: Mon Feb 18 2002 - 07:17:10 PST

Next message: Larry W. Cashdollar: "Another local root vulnerability during installation of Tarantella Enterprise 3."

Previous message: secureat_private: "[CLA-2002:463] Conectiva Linux Security Announcement - uucp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:    Netwin Webnews.exe
Systems Affected:  IIS4 & IIS5 on Windows NT/2000
Severity:  High Risk
Vendor URL:   http://www.netwinsite.com
Author:   Mark Litchfield (markat_private)
Date:   18th February 2002
Advisory number: #NISR18022002
Advisory URL: http://www.nextgenss.com/advisories/netwinnews.txt

Issue
*****
Netwin's WebNews contains a remotely exploitable buffer overrun that allows
the execution of arbitrary code.

Description
***********
WebNEWS is a server side application (cgi) which provides users with web
based access to Internet News Groups. It is compatible with any standard
NNTP (Network News) server system. WebNews allows news groups to be
displayed, accessed and searched via a web-based interface. WebNews may be
used to provide a web based news service, similar to the popular Deja News
Services. Providing Web access to news gives users access to their news from
anywhere on the net. All they need is a web browser.

Details
*******
Webnews.exe is the main executable that provides the program's
functionality.  The buffer overflow problem manifests itself when an overly
long string (c. 1500 bytes) is supplied in the group parameter of the query
string when the server receives a vaild "utoken". The "utoken" is the user
token supplied by the server for a given session.

In terms of an attack, any code executed will run in the security context of
the low privileged account used by IIS to service such requests so won't
have full control over the system. That said, it is imperative that this be
addressed as it allows an attacker greater access to the vulnerable system
and other machines behind the firewall on the same DMZ.


Fix Information
***************
NGSSoftware alerted Netwin to these problems on the 11th of February who
responded quickly with a patch. This patch was made available on the 14th
February 2002, and can be downloaded from
ftp://netwinsite.com/pub/webnews/beta/

A check for this issue has been added to Typhon II, of which more
information is available from the NGSSoftware website,
http://www.ngssoftware.com.

Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Larry W. Cashdollar: "Another local root vulnerability during installation of Tarantella Enterprise 3."
Previous message: secureat_private: "[CLA-2002:463] Conectiva Linux Security Announcement - uucp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 10:51:27 PST