[Full-Disclosure] Buffer Overflow in HAHTsite Scenario Server 5.1
From: Dennis Rand (dra_at_protego.dk)
Date: 04/02/04
- Previous message: Uffe Nielsen: "[Full-Disclosure] MondoSoft - MsmLink.exe - Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <news@securiteam.com>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com> Date: Fri, 2 Apr 2004 15:10:01 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PROTEGO Security Advisory #PSA200405
Topic: Buffer Overflow in HAHTsite Scenario Server 5.1
Platform: Windows, Solaris and Linux
Application: HAHTsite Scenario Server 5.1, Patch 1 to 6
Author: Dennis Rand (dra at protego.dk)
Advisory URL: http://www.protego.dk/advisories/20045.html
Vendor Name: HAHT Commerce
Vendor URL: http://www.haht.com
Vendor contacted: 12. Nov. 2003
Public release: 2. Apr. 2004
Explanation:
The HAHTsiteR Scenario Server is a highly flexible, standards-based
e-business server that offers essential platform features such as
scalability, high availability, security and extensibility. The Scenario
Server also offers essential integration features that provide a
powerful framework for your demand chain management environment.
Problem:
The HAHTsite Scenario Server does not perform proper bounds check on
requests passed to the application. This results in a buffer overflow
condition, when a large specially crafted request is sent to the server.
Details:
The issue can be triggered by requesting:
http://[hostname]/[cgialias]/hsrun.exe/[ServerGroupName]/[ServerGroupNam
e]/[VeryLongProjectName].htx;start=[PageName]
This bug affects both background processes (regular server groups), and
control processes (the administrative server group).
The following error will appear in the event viewer when this
vulnerablity is exploited:
- ------------------------------------------------------------------
Event Type: Error
Event Source: HAHTsite 5.1 Controller
Event Category: None
Event ID: 1032
Description:
Unexpected termination of server hsadmsrv with PID=xxxx: Exit Reason:
Unknown Reason
- ------------------------------------------------------------------
Impact:
A request like the above will overrun the allocated buffer and overwrite
EIP (Instruction Pointer), which leads to a service restart and the
possibility of remote code execution, giving an attacker the opportunity
to run commands on the server with permission of NT AUTHORITY\SYSTEM.
PROTEGO has developed af Proof of Concept exploit that will make the
server return a command prompt with SYSTEM privileges, to an attacker.
Corrective actions:
This security vulnerability can be corrected by applying the server fix
[20030010] from www.haht.com/kb
For Windows:
ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_over
run_fix.zip
For Solaris:
Contact HAHT Technical Support at support@haht.com.
For Linux:
Contact HAHT Technical Support at support@haht.com.
Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an "AS IS" condition.
There are NO warranties with regard to this information. In no event
shall PROTEGO be liable for any consequences or damages, including
direct, indirect, incidental, consequential, loss of business profits or
special damages, arising out of or in connection with the use or spread
of this information. Any use of this information lies within the user's
responsibility. All registered and unregistered trademarks represented
in this document are the sole property of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQG1mILlyfqEDqHg2EQJGqQCdFpUQ55mXXmKM2AHq7nH5OHA/QLQAn3jD
SusrDhhssjTdsgJOr7fZFTd6
=iTDN
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Uffe Nielsen: "[Full-Disclosure] MondoSoft - MsmLink.exe - Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
