Remote Buffer Overrun WebAdmin.exe

From: Mark Litchfield (mark_at_ngssoftware.com)
Date: 06/25/03

  • Next message: Matt Zimmerman: "[SECURITY] [DSA-330-1] New tcptraceroute packages fix failure to drop root privileges"
    To: <bugtraq@securityfocus.com>
    Date: Tue, 24 Jun 2003 15:22:21 -0700
    
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Remote System Buffer Overrun WebAdmin.exe
    Systems Affected: Windows
    Severity: High Risk
    Category: Buffer Overrun
    Vendor URL: http://www.altn.com/
    Author: Mark Litchfield (mark@ngssoftware.com)
    Date: 24th June 2003
    Advisory number: #NISR2406-03

    Description
    ***********

    WebAdmin allows administrators to securely manage MDaemon, RelayFax, and
    WorldClient from anywhere in the world

    Details
    *******

    There is a remotely exploitable buffer overrun in the USER parameter.

    By default the webadmin.exe process is started as a system service. Any
    code being passed to the server by an attacker as a result of this buffer
    overrun would therefore (based on a default install) execute with system
    privileges.

    POST /WebAdmin.dll?View=Logon HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, */*
    Referer: http://ngssoftware.com:1000/
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    User-Agent: MyUser Agent
    Host: NGSSoftware.com
    Content-Length: 74
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard

    User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In

    Fix Information
    ***************

    NGSSoftware alerted ALTN to theses issues on the 19th of June 2003.
    A patch has now been made available from
    ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe

    A check for these issues has been added to Typhon III, of which more
    information is available from the
    NGSSoftware website, http://www.ngssoftware.com

    Further Information
    *******************

    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    http://www.ngssoftware.com/papers/ntbufferoverflow.html
    http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    http://www.ngssoftware.com/papers/unicodebo.pdf


  • Next message: Matt Zimmerman: "[SECURITY] [DSA-330-1] New tcptraceroute packages fix failure to drop root privileges"