From nisr@nextgenss.com Tue Feb 19 11:19:01 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Mon, 18 Feb 2002 15:17:10 -0000 Subject: Netwin Webnews Buffer Overflow Vulnerability (#NISR18022002) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Netwin Webnews.exe Systems Affected: IIS4 & IIS5 on Windows NT/2000 Severity: High Risk Vendor URL: http://www.netwinsite.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 18th February 2002 Advisory number: #NISR18022002 Advisory URL: http://www.nextgenss.com/advisories/netwinnews.txt Issue ***** Netwin's WebNews contains a remotely exploitable buffer overrun that allows the execution of arbitrary code. Description *********** WebNEWS is a server side application (cgi) which provides users with web based access to Internet News Groups. It is compatible with any standard NNTP (Network News) server system. WebNews allows news groups to be displayed, accessed and searched via a web-based interface. WebNews may be used to provide a web based news service, similar to the popular Deja News Services. Providing Web access to news gives users access to their news from anywhere on the net. All they need is a web browser. Details ******* Webnews.exe is the main executable that provides the program's functionality. The buffer overflow problem manifests itself when an overly long string (c. 1500 bytes) is supplied in the group parameter of the query string when the server receives a vaild "utoken". The "utoken" is the user token supplied by the server for a given session. In terms of an attack, any code executed will run in the security context of the low privileged account used by IIS to service such requests so won't have full control over the system. That said, it is imperative that this be addressed as it allows an attacker greater access to the vulnerable system and other machines behind the firewall on the same DMZ. Fix Information *************** NGSSoftware alerted Netwin to these problems on the 11th of February who responded quickly with a patch. This patch was made available on the 14th February 2002, and can be downloaded from ftp://netwinsite.com/pub/webnews/beta/ A check for this issue has been added to Typhon II, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf