[NEWS] Another Buffer Overflow in Talentsoft's Web+
From: support@securiteam.comDate: 03/16/02
- Previous message: support@securiteam.com: "[UNIX] Command execution in phprojekt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 16 Mar 2002 12:25:30 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Another Buffer Overflow in Talentsoft's Web+
------------------------------------------------------------------------
SUMMARY
<http://www.talentsoft.com> Talentsoft's Web+ v5.0 is a powerful and
comprehensive development environment for use in creating web-based
client/server applications.
A security vulnerability in the product allows attackers to run arbitrary
code as SYSTEM, effectively compromising the server remotely.
DETAILS
Web Markup Language (wml) scripts files are created that contain the
application logic. These are requested by a web client from the web server
using either an ISAPI filter (webplus.dll) or a CGI executable
(webplus.exe). These are known as Web+ clients. The Web+ client passes
this request to the Web+ plus server for dispatch. When a request is made
for an overly long wml file an unchecked buffer is overflowed and the
saved return address on the stack is overwritten. In this fashion an
attacker can gain control over the Web+ server's path of execution. By
pointing the process' execution back into the user supplied buffer
arbitrary code can be executed.
On Windows machines, as the service runs with SYSTEM privileges any code
executed will run uninhibited. This is also true for UNIX systems if the
server is running as root.
Fix information:
This overflow was discovered on the 6th of March after Talentsoft had
provided a fix for an overflow discovered by NGSSoftware in Februrary.
TalentSoft withdrew this patch to fix this second overflow issue. This
patch has been re-issued and is available from
<http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943>
http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943.
NGSSoftware urges all Web+ customers to apply this as soon as is possible.
A check for this issue has been added to Typhon II, of which more
information is available from the NGSSoftware website,
<http://www.ngssoftware.com> http://www.ngssoftware.com.
Risk mitigation:
It is suggested that a low privileged account be created and this account
should be used to run the Web+ services - this includes the Monitoring
Service and the Server itself.
ADDITIONAL INFORMATION
The information has been provided by <mailto:david@ngssoftware.com> David
Litchfield.
For further information about the scope and effects of buffer overflows,
see:
<http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf>
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
<http://www.ngssoftware.com/papers/ntbufferoverflow.html>
http://www.ngssoftware.com/papers/ntbufferoverflow.html
<http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf>
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
<http://www.ngssoftware.com/papers/unicodebo.pdf>
http://www.ngssoftware.com/papers/unicodebo.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Command execution in phprojekt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
