Multiple Buffer Overflow vulnerabilities in SteelArrow (#NISR19082002B)

From: NGSSoftware Insight Security Research (nisrat_private)
Date: Mon Aug 19 2002 - 08:04:27 PDT

Next message: NGSSoftware Insight Security Research: "[VulnWatch] Arbitrary File Creation/Overwrite with SQL Agent Jobs (SQL 2000 and 7) (#NISR19002002A)"

Previous message: Johan Persson: "Insufficient Verification of Client Certificates in IIS 5.0 pre sp3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:    Multiple Remote Buffer Overruns TOMAHAWKS' STEELARROW
Systems Affected:  WinNT, Win2K (Not tested on other platforms)
Severity:  High Risk
Category:               Remote System Buffer Overrun
Vendor URL:   http://www.tomahawk.com
Author:   Mark Litchfield (markat_private)
Date:   19th August 2002
Advisory number: #NISR19082002B


Description
***********

SteelArrow is an easy to use Web Application Server offering the latest in
Internet connectivity and dynamic content development.  SteelArrow offers
developers full web application development functionality and fully tested
run time reliability. Steelarrow operates as an extension (on WinNT/2K) to
Microsoft IIS, Apache and Netscape Enterprise servers.

Details
*******

Buffer Overrun 1)

SteelArrow tracks user sessions with cookies in the form of
UserIdent=XXXXXXXXXXXX.  By supplying an overly long vlaue in the Cookie
HTTP header a buffer overflow occurs in the Steelarrow Service
(Steelarrow.exe) overwriting a saved return address on the stack.
Steelarrow, by default on Win2k/WinNT is installed as a system service.  Any
arbitary code executed using this vulnerability will run with system
privileges.

Buffer Overrun 2)

By making an overly long request for a .aro (extension used by Steelarrow)
file, an access violation occurs in DLLHOST.EXE (Steelarrow.dll), again
overwriting a saved return address on the stack.  Any code will execute in
the security context of the IWAM account.

Buffer Overrun 3)

It's that Chunked Transfer-Encoding issue again.  By making a request for a
.aro file an including a specific Transfer-Encoding: Chunked request within
the HTTP request header fields and access violation occurs in DLLHOST.EXE
due to a heap overflow. Again any arbitary code execution will run in the
context of the IWAM account.

Fix Information
***************
NGSSoftware alerted the vendor to these buffer overflow issues on the 1st
2nd and 3rd of April 2002.  A fix is available from
http://www.steelarrow.com

A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: NGSSoftware Insight Security Research: "[VulnWatch] Arbitrary File Creation/Overwrite with SQL Agent Jobs (SQL 2000 and 7) (#NISR19002002A)"
Previous message: Johan Persson: "Insufficient Verification of Client Certificates in IIS 5.0 pre sp3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:29:52 PDT