Web+ Buffer Overflow

March 13th, 2002

NGSSoftware Insight Security Research Advisory

Name:             Web+ Buffer Overflow

Systems Affected:     Web+ 4.6/5.0 on Windows NT/2000, Solaris, Linux

Severity:        High Risk

Vendor URL:         http://www.talentsoft.com

Author:            David Litchfield (david@ngssoftware.com)

Date:            13th March 2002

Advisory number:    #NISR13032002

Advisory URL:        http://www.ngssoftware.com/advisories/webplus2.txt

Issue: Attackers can run arbitrary code as SYSTEM.

Description

***********

Talentsoft’s Web+ v5.0 is a powerful and comprehensive development environment for use in creating web-based client/server

applications.

Details

*******

Web Markup Language (wml) scripts files are created that contain the application logic. These are requested by a web client

from the web server using either an ISAPI filter (webplus.dll) or a CGI executable (webplus.exe). These are known as Web+

clients. The Web+ client passes this request to the Web+ plus server for dispatch. When a request is made for an overly

long wml file an unchecked buffer is overflowed and the saved return address on the stack is overwritten. In this fashion

an attacker can gain control over the Web+ server’s path of execution. By pointing the process’ execution back into the

user supplied buffer arbitrary code can be executed. On Windows machines, as the service runs with SYSTEM privileges any code executed will

run uninhibited. This is also true of unix systems if the server is running as root.

Fix Information

***************

This overflow was discovered on the 6th of March after Talentsoft had provided a fix for an overflow discovered by

NGSSoftware in Februrary. TalentSoft withdrew this patch to fix this second overflow issue. This patch has been

re-issued and is available from http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943. NGSSoftware urges all

Web+ customers to apply this as soon as is possible.

A check for this issue has been added to Typhon II, of which more information is available from the NGSSoftware

website, http://www.ngssoftware.com.

Risk Mitigation

***************

It is suggested that an low privileged account be created and this account should be used to run the Web+ services -

this includes the Monitoring Service and the Server itself.

Further Information

*******************

For further information about the scope and effects of buffer overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Section Navigation


Red Nose Day 2009

Red Nose Day 2009

Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls