Web+ Cookie Buffer Overflow

April 17th, 2002

NGSSoftware Insight Security Research Advisory

Name:             Web+ Cookie Buffer Overflow

Systems Affected:     IIS and Web+ 4.6/5.0 on Windows NT/2000

Severity:        High Risk

Vendor URL:         http://www.talentsoft.com

Author:            David Litchfield (david@ngssoftware.com)

Date:            17th April 2002

Advisory number:    #NISR17042002B

Advisory URL:        http://www.ngssoftware.com/advisories/webplus3.txt

Issue: Attackers can run arbitrary code as SYSTEM on the web server.

Description

***********

Talentsoft’s Web+ v5.0 is a powerful and comprehensive development environment for use in creating web-based client/server

applications.

Details

*******

By requesting a WML file from a web server and supplying an overly long cookie, an internal buffer is overflowed,

overwriting a saved return address on the stack. On procedure return control over the web server process’ execution

can be gained. If the server is running IIS 4 and using the Web+ ISAPI filter, then inetinfo.exe is the process

captured. As this runs as SYSTEM, any code supplied by an attacker will run uninhibited. If IIS 5.0 then the process

is dllhost.exe which runs in the context of the IWAM_* account. As this has limited privileges the risk is reduced.

If the Web+ environment is set up using the webplus CGI executable, webplus.exe, on either server, then, again, the

risk is reduced.

Fix Information

***************

Talentsoft have created a patch for this problem. Please see http://www.talentsoft.com/download/download.en.wml

for more details. NGSSoftware urges all Web+ customers to apply this as soon as is possible. A check for this

issue has been added Typhon II, NGSSoftware’s vulnerability assessment scanner, of which more information is

available from the NGSSite @ http://www.ngssoftware.com/.

Further Information

*******************

For further information about the scope and effects of buffer overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


Red Herring 100

Red Herring 100

NGSSoftware named as winners in the Red Herring 100.

SLBA 2008

South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Queen's Award 2007

Queens Award 2007

NGSSoftware are delighted to announce that we are winners of the Queen's Award for Enterprise: International Trade 2007.

SC Awards 2008

SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008

International Trade Awards 2008

NGSSoftware South-East England Regional Winners at 2008 International Trade Awards.