Alt-N WebAdmin Buffer Overflow in 'USER' Parameter Lets Remote Users Execute Arbitrary Code With System Privileges
|
|
SecurityTracker Alert ID: 1007049
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 24 2003
|
Impact: Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: NGSSoftware
|
Version(s): 2.04
|
Description: A buffer overflow vulnerability was reported in Alt-N's WebAdmin. A remote user can execute arbitrary code.
NGSSoftware reported that a remote user can supply a specially crafted value for the 'User' parameter in a POST request to the 'WebAdmin.dll?View=Logon'
script to trigger a buffer overflow. The report indicates that 'webadmin.exe' is run as a system service in a default installation,
so the arbitrary code will execute with System privileges.
The vendor was reportedly notified on June 19, 2003.
|
Impact: A remote user can execute arbitrary code on the server with System level privileges.
|
Solution: The vendor has released a fixed version (2.05), available at:
http://www.altn.com/download/default.asp#WebAdmin
ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe
|
Vendor URL: www.altn.com/products/default.asp?catalog%5Fname=Products&category%5Fname=Software&product%5Fid=WebAdmin (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "Mark Litchfield" <mark@ngssoftware.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 24 Jun 2003 15:22:21 -0700
From: "Mark Litchfield" <mark@ngssoftware.com>
Subject: Remote Buffer Overrun WebAdmin.exe
|
------=_NextPart_000_0AE5_01C33A64.6831CA60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
NGSSoftware Insight Security Research Advisory
Name: Remote System Buffer Overrun WebAdmin.exe
Systems Affected: Windows
Severity: High Risk
Category: Buffer Overrun
Vendor URL: http://www.altn.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 24th June 2003
Advisory number: #NISR2406-03
Description
***********
WebAdmin allows administrators to securely manage MDaemon, RelayFax, and
WorldClient from anywhere in the world
Details
*******
There is a remotely exploitable buffer overrun in the USER parameter.
By default the webadmin.exe process is started as a system service. Any
code being passed to the server by an attacker as a result of this buffer
overrun would therefore (based on a default install) execute with system
privileges.
POST /WebAdmin.dll?View=Logon HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://ngssoftware.com:1000/
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: MyUser Agent
Host: NGSSoftware.com
Content-Length: 74
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard
User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In
Fix Information
***************
NGSSoftware alerted ALTN to theses issues on the 19th of June 2003.
A patch has now been made available from
ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe
A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
------=_NextPart_000_0AE5_01C33A64.6831CA60--
|
|
