[NT] Remote System Buffer Overrun in WebAdmin.exe

From: SecuriTeam (support_at_securiteam.com)
Date: 06/24/03

  • Next message: SecuriTeam: "[EXPL] Exploit Released for Buffer Overrun in WebAdmin.exe" 
    To: list@securiteam.com
Date: 24 Jun 2003 19:33:32 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Remote System Buffer Overrun in WebAdmin.exe
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.altn.com/> WebAdmin allows administrators to securely manage
    MDaemon, RelayFax, and WorldClient from anywhere in the world. There is a
    remotely exploitable buffer overrun in the USER parameter.

    DETAILS

    By default the webadmin.exe process is started as a system service. Any
    code being passed to the server by an attacker as a result of this buffer
    overrun would therefore (based on a default install) execute with system
    privileges.

    POST /WebAdmin.dll?View=Logon HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, */*
    Referer: http://ngssoftware.com:1000/
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    User-Agent: MyUser Agent
    Host: NGSSoftware.com
    Content-Length: 74
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard

    User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In

    Fix Information:
    NGSSoftware alerted ALTN to theses issues on the 19th of June 2003. A
    patch has now been made available from
    <ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe>
    ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mark@ngssoftware.com> Mark
    Litchfield.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Exploit Released for Buffer Overrun in WebAdmin.exe"

    Relevant Pages