[NEWS] Buffer Overflow in HAHTsite Scenario Server

From: SecuriTeam (support_at_securiteam.com)
Date: 04/05/04

  • Next message: SecuriTeam: "[NEWS] Open Source Vulnerability Database Opens for Public Access"
    To: list@securiteam.com
    Date: 5 Apr 2004 11:07:21 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow in HAHTsite Scenario Server
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.haht.com> HAHTsite Scenario Server is "a highly flexible,
    standards-based e-business server that offers essential platform features
    such as scalability, high availability, security and extensibility. The
    Scenario Server also offers essential integration features that provide a
    powerful framework for your demand chain management environment".

    The HAHTsite Scenario Server does not perform proper bounds check on
    requests passed to the application. This results in a buffer overflow
    condition, when a large specially crafted request is sent to the server.

    DETAILS

    Vulnerable Systems:
     * HAHTsite Scenario Server version 5.1, Patch 1 to 6

    The issue can be triggered by requesting:
    http://[hostname]/[cgialias]/hsrun.exe/[ServerGroupName]/[ServerGroupName]/[VeryLongProjectName].htx;start=[PageName]

    This bug affects both background processes (regular server groups), and
    control processes (the administrative server group).

    The following error will appear in the event viewer when this
    vulnerability is exploited:

    - ------------------------------------------------------------------
    Event Type: Error
    Event Source: HAHTsite 5.1 Controller
    Event Category: None
    Event ID: 1032
    Description:
    Unexpected termination of server hsadmsrv with PID=xxxx: Exit Reason:
    Unknown Reason
    - ------------------------------------------------------------------

    Impact:
    A request like the above will overrun the allocated buffer and overwrite
    EIP (Instruction Pointer), which leads to a service restart and the
    possibility of remote code execution, giving an attacker the opportunity
    to run commands on the server with permission of NT AUTHORITY\SYSTEM.

    Corrective actions:
    This security vulnerability can be corrected by applying the server fix
    [20030010] from <http://www.haht.com/kb> http://www.haht.com/kb

    For Windows:
     
    <ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_overrun_fix.zip> ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_overrun_fix.zip

    For Solaris:
    Contact HAHT Technical Support at <mailto:support@haht.com>
    support@haht.com.

    For Linux:
    Contact HAHT Technical Support at <mailto:support@haht.com>
    support@haht.com.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dra@protego.dk> Dennis Rand.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Open Source Vulnerability Database Opens for Public Access"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #171
      ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter # 150
      ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #69
      ... LANguard Security Event Log Monitor: ... MICROSOFT VULNERABILITY SUMMARY ... BrowseFTP Client Buffer Overflow Vulnerability ... Michael Lamont Savant Web Server Long Request DoS Vulnerability ...
      (Focus-Microsoft)
    • Re: [Full-disclosure] Full-Disclosure Digest, Vol 79, Issue 21
      ... See MS advisory for full list of affected products. ... Seeker Research Center Security Advisory ... This vulnerability was discovered by Seeker? ... The request also contains other parameters required by the page, the vulnerable parameter being the parameter noted above. ...
      (Full-Disclosure)