Buffer Overrun in Talentsoft's Web+ (3) (#NISR17042002B)

From: NGSSoftware Insight Security Research (nisrat_private)
Date: Tue Apr 16 2002 - 07:09:04 PDT

Next message: Joe Testa: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"

Previous message: Ofir Arkin: "Ammendum: A crash course with Linux Kernel 2.4.x, IP ID values & RFC 791"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:    Web+ Cookie Buffer Overflow
Systems Affected:  IIS and Web+ 4.6/5.0 on Windows NT/2000
Severity:  High Risk
Vendor URL:   http://www.talentsoft.com
Author:   David Litchfield (davidat_private)
Date:   17th April 2002
Advisory number: #NISR17042002B
Advisory URL:  http://www.ngssoftware.com/advisories/webplus3.txt

Issue: Attackers can run arbitrary code as SYSTEM on the web server.

Description
***********
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.

Details
********
By requesting a WML file from a web server and supplying an overly long
cookie, an internal buffer is overflowed, overwriting a saved return address
on the stack. On procedure return control over the web server process'
execution can be gained. If the server is running IIS 4 and using the Web+
ISAPI filter, then inetinfo.exe is the process captured. As this runs as
SYSTEM, any code supplied by an attacker will run uninhibited. If IIS 5.0
then the process is dllhost.exe which runs in the context of the IWAM_*
account. As this has limited privileges the risk is reduced. If the Web+
environment is set up using the webplus CGI executable, webplus.exe, on
either server, then, again, the risk is reduced.


Fix Information
**************
Talentsoft have created a patch for this problem. Please see
http://www.talentsoft.com/download/download.en.wml for more details.
NGSSoftware urges all Web+ customers to apply this as soon as is possible. A
check for this issue has been added Typhon II, NGSSoftware's vulnerability
assessment scanner, of which more information is available from the NGSSite
@ http://www.ngssoftware.com/.

Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Joe Testa: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Previous message: Ofir Arkin: "Ammendum: A crash course with Linux Kernel 2.4.x, IP ID values & RFC 791"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 14:48:56 PDT