PROTEGO Security Advisory #PSA200405 Topic: Buffer Overflow in HAHTsite Scenario Server 5.1 Platform: Windows, Solaris and Linux Application: HAHTsite Scenario Server 5.1, Patch 1 to 6 Author: Dennis Rand (dra at protego.dk) Advisory URL: http://www.protego.dk/advisories/20045.html Vendor Name: HAHT Commerce Vendor URL: http://www.haht.com Vendor contacted: 12. Nov. 2003 Public release: 2. Apr. 2004 Security Focus Bid: 10033 CERT: VU#705958 Explanation: The HAHTsiteR Scenario Server is a highly flexible, standards-based e-business server that offers essential platform features such as scalability, high availability, security and extensibility. The Scenario Server also offers essential integration features that provide a powerful framework for your demand chain management environment. Problem: The HAHTsite Scenario Server does not perform proper bounds check on requests passed to the application. This results in a buffer overflow condition, when a large specially crafted request is sent to the server. Details: The issue can be triggered by requesting: http://[hostname]/[cgialias]/hsrun.exe/[ServerGroupName]/[ServerGroupNam e]/[VeryLongProjectName].htx;start=[PageName] This bug affects both background processes (regular server groups), and control processes (the administrative server group). The following error will appear in the event viewer when this vulnerablity is exploited: ------------------------------------------------------------------- Event Type: Error Event Source: HAHTsite 5.1 Controller Event Category: None Event ID: 1032 Description: Unexpected termination of server hsadmsrv with PID=xxxx: Exit Reason: Unknown Reason ------------------------------------------------------------------- Impact: A request like the above will overrun the allocated buffer and overwrite EIP (Instruction Pointer), which leads to a service restart and the possibility of remote code execution, giving an attacker the opportunity to run commands on the server with permission of NT AUTHORITY\SYSTEM. PROTEGO has developed af Proof of Concept exploit that will make the server return a command prompt with SYSTEM privileges, to an attacker. Corrective actions: This security vulnerability can be corrected by applying the server fix [20030010] from www.haht.com/kb For Windows: ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_over run_fix.zip For Solaris: Contact HAHT Technical Support at support@haht.com. For Linux: Contact HAHT Technical Support at support@haht.com. Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are NO warranties with regard to this information. In no event shall PROTEGO be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information. Any use of this information lies within the user's responsibility. All registered and unregistered trademarks represented in this document are the sole property of their respective owners.