From mark@ngssoftware.com Sat Jul 19 02:58:58 2003 From: Next Generation Insight Security Reseach Team To: bugtraq@securityfocus.com, vulndb@securityfocus.com, vulnwatch@vulnwatch.org Date: Fri, 18 Jul 2003 16:51:56 -0700 Subject: [VulnWatch] Witango & Tango 2000 Application Server Remote System Buffer Overrun [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] NGSSoftware Insight Security Research Advisory Name: WiTango Application Server & Tango 2000 Systems Affected: Windows Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: http://www.witango.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 18th July 2003 Advisory number: #NISR18072003 Description *********** As detailed on http://www.witango.com - Witango can provide your Web Application with a solid application framework, a simple interface for both the production and ongoing maintenance of complex application logic, a variety of mechanisms to integrate to non-web interfaces, and a wide range of database connectivity options. The Witango product suite provides a comprehensive Integrated Development Environment (IDE) to enable application developers to rapidly generate XML files which can then be deployed to a wide range of operating systems. Witango is a fast to learn, easy to use, scalable solution for the Professional Web Application Developer. Details ******* By passing a long cookie to Witango_UserReference we overwrite the saved return address on the stack. As Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM GET /ngssoftware.tml HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-gb User-Agent: My Browser Host: ngssoftware.com Connection: Keep-Alive Cookie: Witango_UserReference= parameter length 2864 I have been asked by Phil Wade of Witango to mention the following: "We also did some tests on older versions of the server and found the vulnerability also exists in the previous version of the server which was known as Tango 2000. Can you also mention that Tango 2000 is also vulnerable and should be upgraded to Witango 5.0.1.062 especially if the Tango 2000 server is accessible from the internet" Fix Information *************** NGSSoftware alerted Witango to this issue on 13th July 2003. I would like to mention, that Witango acted very quickly in producing a patch helping to ensure that their clients are protected. Please visit http://www.witango.com to download the latest build. A check for this issue has been added to Typhon, a comprehensive automated vulnerability assessment tool of which more information is available from the NGSSite http://www.ngssoftware.com About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in London, and St Andrews Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com http://www.ngsconsulting.com Telephone: +44 208 40 100 70 Fax: +44 208 401 0076