Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer Overrun in Talentsoft's Web+ (#NISR01032002A)

From: "David Litchfield" <nisr () nextgenss com>
Date: Tue, 5 Mar 2002 17:55:06 -0000
NGSSoftware Insight Security Research Advisory

Name:                   Web+ Buffer Overflow
Systems Affected:       IIS4/5 on Windows NT/2000
Severity:                       High Risk
Category:               Buffer Overrun / Privilage Escalation
Vendor URL:             http://www.talentsoft.com
Author:                 Mark Litchfield (mark () ngssoftware com)
Date:                           1st March 2002
Advisory number:                #NISR05032002A

Issue:                  Attackers can exploit a buffer overrun
vulnerability
                                to execute arbitrary code as SYSTEM.


Description
***********
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.

Details
*******
During installation webplus.exe is copied into the cgi-bin or scripts
directory and is utilised by many of TalentSoft's products such as Web+
Shop, Web+ Mall and Web+ Enterprise.  By supply an overly long character
string to webplus.exe which is then passed to a system service -
webpsvc.exe. It is this service that overflows, overwriting the saved
return 
address on the stack.  Because Webpsvc by default is started as a system
service, any arbitrary code executed on the server would run in the
security context of the SYSTEM account.


Fix Information
***************
NGSSoftware alerted TalentSoft to these problems on 12th February 2002.
Talentsoft has created a patch for this issue and NGSSoftware advises
all Web+ customers to apply this as soon as is possible.

Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for
more details.

A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
Previous By Date Next
Previous By Thread Next

Current thread: