Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Witango Application Server Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007231
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 18 2003
|
Impact: Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: NGSSoftware
|
Version(s): prior to 5.0.1.062
|
Description: A buffer overflow vulnerability was reported in the Witango Application Server. A remote user can execute arbitrary code with System privileges.
NGSSoftware Insight Security Research reported that a remote user can provide a specially crafted Witango_UserReference cookie to
the server to trigger a stack overflow and overwrite the saved return address. Arbitrary code can be executed with System privileges,
according to the advisory.
A demonstration exploit transcript is provided:
GET /ngssoftware.tml HTTP/1.1
Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash,
*/*
Accept-Language: en-gb
User-Agent: My Browser
Host: ngssoftware.com
Connection: Keep-Alive
Cookie: Witango_UserReference=
parameter length 2864
The report indicates that 'Tango 2000' (an older version of the product) is also affected.
The vendor
was reportedly notified on July 13, 2003.
|
Impact: A remote user can execute arbitrary code on the target server with System level privileges.
|
Solution: The vendor has released a fixed version (5.0.1.062), available at:
http://www.witango.com/
[Editor's note: At the time of this entry, we could not find the fixed version on the vendor's web site.]
|
Vendor URL: www.witango.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Next Generation Insight Security Reseach Team" <mark@ngssoftware.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 18 Jul 2003 16:51:56 -0700
From: "Next Generation Insight Security Reseach Team" <mark@ngssoftware.com>
Subject: Witango & Tango 2000 Application Server Remote System Buffer Overrun
|
NGSSoftware Insight Security Research Advisory
Name: WiTango Application Server & Tango 2000
Systems Affected: Windows
Severity: Critical Risk
Category: Remote System Buffer Overrun
Vendor URL: http://www.witango.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 18th July 2003
Advisory number: #NISR18072003
Description
***********
As detailed on http://www.witango.com - Witango can provide your Web
Application with a solid application framework, a simple interface for both
the production and ongoing maintenance of complex application logic, a
variety of mechanisms to integrate to non-web interfaces, and a wide range
of database connectivity options. The Witango product suite provides a
comprehensive Integrated Development Environment (IDE) to enable application
developers to rapidly generate XML files which can then be deployed to a
wide range of operating systems. Witango is a fast to learn, easy to use,
scalable solution for the Professional Web Application Developer.
Details
*******
By passing a long cookie to Witango_UserReference we overwrite the saved
return address on the stack. As Witango is installed as LocalSystem, any
arbitrary code execution will run as SYSTEM
GET /ngssoftware.tml HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, */*
Accept-Language: en-gb
User-Agent: My Browser
Host: ngssoftware.com
Connection: Keep-Alive
Cookie: Witango_UserReference= parameter length 2864
I have been asked by Phil Wade of Witango to mention the following: "We also
did some tests on older versions of the server and found the vulnerability
also exists in the previous version of the server which was known as Tango
2000. Can you also mention that Tango 2000 is also vulnerable and should be
upgraded to Witango 5.0.1.062 especially if the Tango 2000 server is
accessible from the internet"
Fix Information
***************
NGSSoftware alerted Witango to this issue on 13th July 2003. I would like
to mention, that Witango acted very quickly in producing a patch helping to
ensure that their clients are protected. Please visit
http://www.witango.com to download the latest build.
A check for this issue has been added to Typhon, a comprehensive automated
vulnerability assessment tool of which more information is available from
the
NGSSite http://www.ngssoftware.com
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in London, and St Andrews Scotland. NGSSoftware's sister company
NGSConsulting, offers best of breed security consulting services,
specialising in application, host and network security assessments.
http://www.ngssoftware.com
http://www.ngsconsulting.com
Telephone: +44 208 40 100 70
Fax: +44 208 401 0076
|
|
Go to the Top of This SecurityTracker Archive Page
|
