[VulnWatch] Witango & Tango 2000 Application Server Remote System Buffer Overrun

From: Next Generation Insight Security Reseach Team (mark_at_ngssoftware.com)
Date: 07/19/03

  • Next message: Last Stage of Delirium: "[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
    To: <bugtraq@securityfocus.com>, <vulndb@securityfocus.com>, <vulnwatch@vulnwatch.org>
    Date: Fri, 18 Jul 2003 16:51:56 -0700
    
    

    NGSSoftware Insight Security Research Advisory

    Name: WiTango Application Server & Tango 2000
    Systems Affected: Windows
    Severity: Critical Risk
    Category: Remote System Buffer Overrun
    Vendor URL: http://www.witango.com
    Author: Mark Litchfield (mark@ngssoftware.com)
    Date: 18th July 2003
    Advisory number: #NISR18072003

    Description
    ***********

    As detailed on http://www.witango.com - Witango can provide your Web
    Application with a solid application framework, a simple interface for both
    the production and ongoing maintenance of complex application logic, a
    variety of mechanisms to integrate to non-web interfaces, and a wide range
    of database connectivity options. The Witango product suite provides a
    comprehensive Integrated Development Environment (IDE) to enable application
    developers to rapidly generate XML files which can then be deployed to a
    wide range of operating systems. Witango is a fast to learn, easy to use,
    scalable solution for the Professional Web Application Developer.

    Details
    *******

    By passing a long cookie to Witango_UserReference we overwrite the saved
    return address on the stack. As Witango is installed as LocalSystem, any
    arbitrary code execution will run as SYSTEM

    GET /ngssoftware.tml HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    application/x-shockwave-flash, */*
    Accept-Language: en-gb
    User-Agent: My Browser
    Host: ngssoftware.com
    Connection: Keep-Alive
    Cookie: Witango_UserReference= parameter length 2864

    I have been asked by Phil Wade of Witango to mention the following: "We also
    did some tests on older versions of the server and found the vulnerability
    also exists in the previous version of the server which was known as Tango
    2000. Can you also mention that Tango 2000 is also vulnerable and should be
    upgraded to Witango 5.0.1.062 especially if the Tango 2000 server is
    accessible from the internet"

    Fix Information
    ***************

    NGSSoftware alerted Witango to this issue on 13th July 2003. I would like
    to mention, that Witango acted very quickly in producing a patch helping to
    ensure that their clients are protected. Please visit
    http://www.witango.com to download the latest build.

    A check for this issue has been added to Typhon, a comprehensive automated
    vulnerability assessment tool of which more information is available from
    the
    NGSSite http://www.ngssoftware.com

    About NGSSoftware
    *****************

    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in London, and St Andrews Scotland. NGSSoftware's sister company
    NGSConsulting, offers best of breed security consulting services,
    specialising in application, host and network security assessments.

    http://www.ngssoftware.com
    http://www.ngsconsulting.com

    Telephone: +44 208 40 100 70
    Fax: +44 208 401 0076


  • Next message: Last Stage of Delirium: "[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"