[12088] in bugtraq
Security flaw in Mediahouse Statistics Server v4.28 & 5.01
daemon@ATHENA.MIT.EDU (per_bergehed@HOTMAIL.COM)
Fri Oct 1 14:36:34 1999
Message-Id: <19990930212145.23696.qmail@securityfocus.com>
Date: Thu, 30 Sep 1999 21:21:45 -0000
Reply-To: per_bergehed@HOTMAIL.COM
From: per_bergehed@HOTMAIL.COM
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Security flaw in Mediahouse Statistics Server v4.28 & 5.01.
-----------------------------------------------------------
My colleague found a security flaw in Mediahouse Statistics
Server a couple of weeks ago. I contacted Mediahouse about
this issue the 8:th September. They are aware of the
problem but they have still not published a fix.
I submit this information to inform current users of
the product that it is not safe. Hopefully Mediahouse
will publish a fix soon..
A more detailed description of the flaw can be found at
http://w1.855.telia.com/~u85513179/index.html
Vulnerable versions:
--------------------
Mediahouse Statistics Server 4.28, 5.0.
(Probably the previous versions too!)
(The Statistics Server runs on Windows NT 4.0)
Description:
------------
There is an "unchecked buffer" in the webinterface for
remote
administration of Statistics Server. For example:
Mediahouses
own live demo page at http://stats.mhstats.com/_938425738_/
The "server ID" login page can be used for an "buffer
overflow" attack. The input field is only validated on
the client side (webbrowser). This is easy to circumvent.
The second flaw is the configuration file (ss.cfg) which
contains the administrator password in clear-text!
Exploit:
--------
Use your personal "favourite tool" to send >3773
characters into the Statistics Server and it will
generate a "Dr Watson"!
There is a "brain.ini" file for the Retina security
scanner on my description site.
If you have plans to write an exploit you might find
this useful: Statistics Server v 4.28 will "jump" to
the address "65656565" if you send a couple of 'a's..
Workarounds:
------------
1. Restrict access to Statistics Server in your firewall.
2. Run the Statistics Server service under a user account
with lower privileges.
3. Set proper ACLs on the configuration file:
"C:\StatisticsServer\ss.cfg".
4. Don't open up your firewall until a fix is released!! :o)
References:
-----------
http://www.mediahouse.com
http://w1.855.telia.com/~u85513179/index.html
Credit:
-------
This vulnerability was discovered by a colleague of mine.
He was investigating the security on my behalf. He whishes
to stay anonymous. I'll forward any messages..
Best regards
Per Bergehed
-------------------------------
Per Bergehed, Telia IP-Services
mailto:Per.Bergehed@hotmail.com
