NGSSoftware Insight Security Research Advisory

Name: Web+ Buffer Overflow
Systems Affected: IIS4/5 on Windows NT/2000
Severity: High Risk
Category: Buffer Overrun / Privilage Escalation
Vendor URL: http://www.talentsoft.com
Author: Mark Litchfield (markngssoftware.com)
Date: 1st March 2002
Advisory number: #NISR05032002A

Issue: Attackers can exploit a buffer overrun
vulnerability
                                to execute arbitrary code as SYSTEM.

Description
***********
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.

Details
*******
During installation webplus.exe is copied into the cgi-bin or scripts
directory and is utilised by many of TalentSoft's products such as Web+
Shop, Web+ Mall and Web+ Enterprise. By supply an overly long character
string to webplus.exe which is then passed to a system service -
webpsvc.exe. It is this service that overflows, overwriting the saved
return
address on the stack. Because Webpsvc by default is started as a system
service, any arbitrary code executed on the server would run in the
security context of the SYSTEM account.

Fix Information
***************
NGSSoftware alerted TalentSoft to these problems on 12th February 2002.
Talentsoft has created a patch for this issue and NGSSoftware advises
all Web+ customers to apply this as soon as is possible.

Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for
more details.

A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]