Buffer Overrun in Talentsoft's Web+ (#NISR01032002A)

From: David Litchfield (nisr@NEXTGENSS.COM)
Date: 03/05/02 

Date:         Tue, 5 Mar 2002 17:55:06 -0000
From: David Litchfield <nisr@NEXTGENSS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NGSSoftware Insight Security Research Advisory

Name: Web+ Buffer Overflow
Systems Affected: IIS4/5 on Windows NT/2000
Severity: High Risk
Category: Buffer Overrun / Privilage Escalation
Vendor URL: http://www.talentsoft.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 1st March 2002
Advisory number: #NISR05032002A

Issue: Attackers can exploit a buffer overrun
vulnerability
                                to execute arbitrary code as SYSTEM.

Description
***********
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.

Details
*******
During installation webplus.exe is copied into the cgi-bin or scripts
directory and is utilised by many of TalentSoft's products such as Web+
Shop, Web+ Mall and Web+ Enterprise. By supply an overly long character
string to webplus.exe which is then passed to a system service -
webpsvc.exe. It is this service that overflows, overwriting the saved
return
address on the stack. Because Webpsvc by default is started as a system
service, any arbitrary code executed on the server would run in the
security context of the SYSTEM account.

Fix Information
***************
NGSSoftware alerted TalentSoft to these problems on 12th February 2002.
Talentsoft has created a patch for this issue and NGSSoftware advises
all Web+ customers to apply this as soon as is possible.

Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for
more details.

A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Relevant Pages

  • Buffer Overrun in Talentsofts Web+ (#NISR01032002A)
    ... NGSSoftware Insight Security Research Advisory ... NGSSoftware alerted TalentSoft to these problems on 12th February 2002. ... For further information about the scope and effects of buffer overflows, ...
    (Bugtraq)
  • High risk flaw in HP OpenView Radia Management Agent
    ... high risk vulnerability in HP's OpenView Radia Management Portal ... Radia Management Agent. ... NGSSoftware are going to withhold details about this flaw for three ... NGSSoftware Insight Security Research ...
    (NT-Bugtraq)
  • High risk flaw in HP OpenView Radia Management Agent
    ... high risk vulnerability in HP's OpenView Radia Management Portal ... Radia Management Agent. ... NGSSoftware are going to withhold details about this flaw for three ... NGSSoftware Insight Security Research ...
    (Bugtraq)
  • [VulnWatch] High risk flaw in HP OpenView Radia Management Agent
    ... high risk vulnerability in HP's OpenView Radia Management Portal ... Radia Management Agent. ... NGSSoftware are going to withhold details about this flaw for three ... NGSSoftware Insight Security Research ...
    (VulnWatch)