[NT] Netwin Webnews.exe (utoken)
From: support@securiteam.comDate: 02/23/02
- Previous message: support@securiteam.com: "[NT] Rich Media E-Commerce Stores Sensitive Information Insecurely"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 23 Feb 2002 14:44:29 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Netwin Webnews.exe (utoken)
------------------------------------------------------------------------
SUMMARY
<http://www.netwinsite.com/> CWMail is a fully featured Corporate Web
Mail System for institutions or ISP's using the web as their primary means
of access to email. Netwin's WebNEWS contains a remotely exploitable
buffer overrun that allows the execution of arbitrary code.
DETAILS
WebNEWS is a server side application (cgi) which provides users with web
based access to Internet News Groups. It is compatible with any standard
NNTP (Network News) server system. WebNEWS allows news groups to be
displayed, accessed, and searched via a web-based interface. WebNEWS may
be used to provide a web based news service, similar to the popular Deja
News Services. Providing Web access to news gives users access to their
news from anywhere on the net. All they need is a web browser.
Details:
Webnews.exe is the main executable that provides the program's
functionality. The buffer overflow problem manifests itself when an
overly long string (c. 1500 bytes) is supplied in the group parameter of
the query string when the server receives a valid "utoken". The "utoken"
is the user token supplied by the server for a given session.
In terms of an attack, any code executed will run in the security context
of the low privileged account used by IIS to service such requests so
won't have full control over the system. That said, it is imperative that
this be addressed as it allows an attacker greater access to the
vulnerable system and other machines behind the firewall on the same DMZ.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Rich Media E-Commerce Stores Sensitive Information Insecurely"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
