From nisr@ngssoftware.com Thu Apr 18 13:38:28 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Tue, 16 Apr 2002 15:10:15 +0100 Subject: Webtrends Reporting Center Buffer Overflow (#NISR17042002C) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: WebTrends Reporting Center 4.0d Systems Affected: WinNT, Win2K, XP Severity: High Risk Category: Remote System Buffer Overrun Vendor URL: http://www.webtrends.com Author: Mark Litchfield (mark@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/wtr.txt Date: 17th April 2002 Advisory number: #NISR17042002C Issue: Attackers can run arbitrary code, remotely, as SYSTEM. Description *********** WebTrends Reporting Center provides fast and comprehensive analysis of web site activity to multiple decision-makers throughout an organization via a browser-based interface. WebTrends Reporting Center is, according to their own website, NetIQ's flagship web analytics reporting product, recently receiving an Editor's Choice Award from Network Computing Magazine (Feb 6, 2002). Details ******* Buffer Overrun: In order for an attacker to exploit this vulnerability requires they must first undergo user authentication at http://targetmachine:1099(default listening port)/remote_login.pl. However, Webtrends Reporting Server allows anonymous logins for reports that are made available for public viewing. After a successful login, making a GET request to http://targetmachine:1099/reports/(Long Char String) will cause an access violation occurs in WTRS_UI.EXE (WTX_REMOTE.DLL) overwriting the saved return address on the stack. The Reporting Server process, WTRS_UI.EXE, is by default started as a system service along with WTRS.EXE, therefore any arbitary code would execute with system privileges. Path Disclosure - By making a simple GET request for http://targetmachine/get_od_toc.pl?Profile= (no authentication required) an error message is returned - Unable to open content file path=C:/PROGRA~1/WEBTRE~1/wtm_wtx/ Fix Information *************** NGSSoftware alerted Webtrends to the buffer overrun issue on 31st March 2002 and future versions will be fixed. There is still some question as to whether a patch will be produced for earlier versions. In the meantime NGSSoftware recommend preventing anonymous access to the Reports server. NGSSoftware recommend that where possible, the service be run as a low privileged account as opposed to starting it as a system service. A check for these issues have been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which more information is available from the NGSSite : http://www.ngssoftware.com/. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf