[NT] WebTrends Reporting Center Buffer Overflow and Path Disclosure

From: support@securiteam.com
Date: 04/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 17 Apr 2002 21:22:36 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  WebTrends Reporting Center Buffer Overflow and Path Disclosure
------------------------------------------------------------------------

SUMMARY

WebTrends Reporting Center provides fast and comprehensive analysis of web
site activity to multiple decision-makers throughout an organization via a
browser-based interface. A buffer overflow vulnerability has been
discovered in their product allowing attackers to cause the program to
execute arbitrary code, thus compromise the system's security (Code is
executed at SYSTEM level privileges). In addition, a minor issue of path
disclosure has also been found, allowing an attacker to reveal sensitive
information on the remote server.

DETAILS

Vulnerable systems:
WebTrends Reporting Center version 4.0d

Buffer Overrun:
In order for an attacker to exploit this vulnerability requires they must
first undergo user authentication at
http://targetmachine:1099/remote_login.pl (Where the 1099 is the default
TCP port used by the product). However, WebTrends Reporting Server allows
anonymous logins for reports that are made available for public viewing.
After a successful login, making a GET request to
http://targetmachine:1099/reports/(Long Char String) will cause an access
violation occurs in WTRS_UI.EXE (WTX_REMOTE.DLL) overwriting the saved
return address on the stack. The Reporting Server process, WTRS_UI.EXE, is
by default started as a system service along with WTRS.EXE, therefore any
arbitrary code would execute with system privileges.

Path Disclosure:
By making a simple GET request for
http://targetmachine/get_od_toc.pl?Profile= (no authentication required)
an error message is returned:
   Unable to open content file path=C:/PROGRA~1/WEBTRE~1/wtm_wtx/

Fix Information:
NGSSoftware alerted WebTrends to the buffer overrun issue on 31st March
2002 and future versions will be fixed. There is still some question as to
whether a patch will be produced for earlier versions. In the meantime,
NGSSoftware recommend preventing anonymous access to the Reports server.
NGSSoftware recommend that where possible, the service be run as a low
privileged account as opposed to starting it as a system service.

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@ngssoftware.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast