[24543] in bugtraq
Buffer Overrun in Talentsoft's Web+ (#NISR01032002A)
daemon@ATHENA.MIT.EDU (David Litchfield)
Tue Mar 5 15:57:23 2002
From: "David Litchfield" <nisr@nextgenss.com>
To: <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Date: Tue, 5 Mar 2002 17:55:06 -0000
Message-ID: <01b601c1c46e$f4f443a0$1b01010a@computername>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
NGSSoftware Insight Security Research Advisory
Name: Web+ Buffer Overflow
Systems Affected: IIS4/5 on Windows NT/2000
Severity: High Risk
Category: Buffer Overrun / Privilage Escalation
Vendor URL: http://www.talentsoft.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 1st March 2002
Advisory number: #NISR05032002A
Issue: Attackers can exploit a buffer overrun
vulnerability
to execute arbitrary code as SYSTEM.
Description
***********
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.
Details
*******
During installation webplus.exe is copied into the cgi-bin or scripts
directory and is utilised by many of TalentSoft's products such as Web+
Shop, Web+ Mall and Web+ Enterprise. By supply an overly long character
string to webplus.exe which is then passed to a system service -
webpsvc.exe. It is this service that overflows, overwriting the saved
return
address on the stack. Because Webpsvc by default is started as a system
service, any arbitrary code executed on the server would run in the
security context of the SYSTEM account.
Fix Information
***************
NGSSoftware alerted TalentSoft to these problems on 12th February 2002.
Talentsoft has created a patch for this issue and NGSSoftware advises
all Web+ customers to apply this as soon as is possible.
Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for
more details.
A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
