[30506] in bugtraq
Remote Buffer Overrun WebAdmin.exe
daemon@ATHENA.MIT.EDU (Mark Litchfield)
Tue Jun 24 12:42:33 2003
Message-ID: <0ae801c33a9f$14a90c60$1b01010a@r00t3d.net>
From: "Mark Litchfield" <mark@ngssoftware.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 24 Jun 2003 15:22:21 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0AE5_01C33A64.6831CA60"
------=_NextPart_000_0AE5_01C33A64.6831CA60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
NGSSoftware Insight Security Research Advisory
Name: Remote System Buffer Overrun WebAdmin.exe
Systems Affected: Windows
Severity: High Risk
Category: Buffer Overrun
Vendor URL: http://www.altn.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 24th June 2003
Advisory number: #NISR2406-03
Description
***********
WebAdmin allows administrators to securely manage MDaemon, RelayFax, and
WorldClient from anywhere in the world
Details
*******
There is a remotely exploitable buffer overrun in the USER parameter.
By default the webadmin.exe process is started as a system service. Any
code being passed to the server by an attacker as a result of this buffer
overrun would therefore (based on a default install) execute with system
privileges.
POST /WebAdmin.dll?View=Logon HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://ngssoftware.com:1000/
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: MyUser Agent
Host: NGSSoftware.com
Content-Length: 74
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard
User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In
Fix Information
***************
NGSSoftware alerted ALTN to theses issues on the 19th of June 2003.
A patch has now been made available from
ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe
A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
------=_NextPart_000_0AE5_01C33A64.6831CA60--
