NGSSoftware Insight Security Research Advisory Name: Web+ Cookie Buffer Overflow Systems Affected: IIS and Web+ 4.6/5.0 on Windows NT/2000 Severity: High Risk Vendor URL: http://www.talentsoft.com Author: David Litchfield (davidat_private) Date: 17th April 2002 Advisory number: #NISR17042002B Advisory URL: http://www.ngssoftware.com/advisories/webplus3.txt Issue: Attackers can run arbitrary code as SYSTEM on the web server. Description *********** Talentsoft's Web+ v5.0 is a powerful and comprehensive development environment for use in creating web-based client/server applications. Details ******** By requesting a WML file from a web server and supplying an overly long cookie, an internal buffer is overflowed, overwriting a saved return address on the stack. On procedure return control over the web server process' execution can be gained. If the server is running IIS 4 and using the Web+ ISAPI filter, then inetinfo.exe is the process captured. As this runs as SYSTEM, any code supplied by an attacker will run uninhibited. If IIS 5.0 then the process is dllhost.exe which runs in the context of the IWAM_* account. As this has limited privileges the risk is reduced. If the Web+ environment is set up using the webplus CGI executable, webplus.exe, on either server, then, again, the risk is reduced. Fix Information ************** Talentsoft have created a patch for this problem. Please see http://www.talentsoft.com/download/download.en.wml for more details. NGSSoftware urges all Web+ customers to apply this as soon as is possible. A check for this issue has been added Typhon II, NGSSoftware's vulnerability assessment scanner, of which more information is available from the NGSSite @ http://www.ngssoftware.com/. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 14:48:56 PDT