2nd Buffer Overflow in Talentsoft's Web+ (#NISR13032002)

From: NGSSoftware Insight Security Research (nisr@NEXTGENSS.COM)
Date: 03/13/02


Date:         Wed, 13 Mar 2002 13:00:41 -0000
From: NGSSoftware Insight Security Research <nisr@NEXTGENSS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NGSSoftware Insight Security Research Advisory

Name: Web+ Buffer Overflow
Systems Affected: Web+ 4.6/5.0 on Windows NT/2000, Solaris, Linux
Severity: High Risk
Vendor URL: http://www.talentsoft.com
Author: David Litchfield (david@ngssoftware.com)
Date: 13th March 2002
Advisory number: #NISR13032002
Advisory URL: http://www.ngssoftware.com/advisories/webplus2.txt

Issue: Attackers can run arbitrary code as SYSTEM.

Description
***********
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.

Details
*******
Web Markup Language (wml) scripts files are created that contain the
application logic. These are requested by a web client from the web server
using either an ISAPI filter (webplus.dll) or a CGI executable
(webplus.exe). These are known as Web+ clients. The Web+ client passes this
request to the Web+ plus server for dispatch. When a request is made for an
overly long wml file an unchecked buffer is overflowed and the saved return
address on the stack is overwritten. In this fashion an attacker can gain
control over the Web+ server's path of execution. By pointing the process'
execution back into the user supplied buffer arbitrary code can be executed.
On Windows machines, as the service runs with SYSTEM privileges any code
executed will run uninhibited. This is also true of unix systems if the
server is running as root.

Fix Information
***************
This overflow was discovered on the 6th of March after Talentsoft had
provided a fix for an overflow discovered by NGSSoftware in Februrary.
TalentSoft withdrew this patch to fix this second overflow issue. This patch
has been re-issued and is available from
http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943. NGSSoftware urges
all Web+ customers to apply this as soon as is possible.

A check for this issue has been added to Typhon II, of which more
information is available from the NGSSoftware website,
http://www.ngssoftware.com.

Risk Mitigation
***************
It is suggested that an low privileged account be created and this account
should be used to run the Web+ services - this includes the Monitoring
Service and the Server itself.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf



Relevant Pages

  • 2nd Buffer Overflow in Talentsofts Web+ (#NISR13032002)
    ... NGSSoftware Insight Security Research Advisory ... Attackers can run arbitrary code as SYSTEM. ... execution back into the user supplied buffer arbitrary code can be executed. ... provided a fix for an overflow discovered by NGSSoftware in Februrary. ...
    (Bugtraq)
  • Re: Security risk to eval?
    ... allow the execution of random or arbitrary code; ... get http-request to the server, a malignant user of some defective ... Note that an insecurity can be detected by using only a local script in ...
    (comp.lang.javascript)
  • [NEWS] Another Buffer Overflow in Talentsofts Web+
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... effectively compromising the server remotely. ... attacker can gain control over the Web+ server's path of execution. ... provided a fix for an overflow discovered by NGSSoftware in Februrary. ...
    (Securiteam)
  • Re: security update: quello giusto?
    ... Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X ... Mac OS X Server v10.4.5 ... Attackers may cause crashes or arbitrary code execution ...
    (it.comp.macintosh)
  • Re: Is Windows 98 SE More Secure Than OS X?
    ... holes that are marked "Extreme Criticality" by Secunia. ... execution of arbitrary code on a user's system if a specially crafted ... chunked transfer encoding may allow execution of arbitrary code if a user is ... Man that's a lot of vulnerablities. ...
    (comp.sys.mac.advocacy)