NGSSoftware Insight Security Research Advisory Name: Web+ Buffer Overflow Systems Affected: IIS4/5 on Windows NT/2000 Severity: High Risk Category: Buffer Overrun / Privilage Escalation Vendor URL: http://www.talentsoft.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 1st March 2002 Advisory number: #NISR05032002A Issue: Attackers can exploit a buffer overrun vulnerability to execute arbitrary code as SYSTEM. Description *********** Talentsoft's Web+ v5.0 is a powerful and comprehensive development environment for use in creating web-based client/server applications. Details ******* During installation webplus.exe is copied into the cgi-bin or scripts directory and is utilised by many of TalentSoft's products such as Web+ Shop, Web+ Mall and Web+ Enterprise. By supply an overly long character string to webplus.exe which is then passed to a system service - webpsvc.exe. It is this service that overflows, overwriting the saved return address on the stack. Because Webpsvc by default is started as a system service, any arbitrary code executed on the server would run in the security context of the SYSTEM account. Fix Information *************** NGSSoftware alerted TalentSoft to these problems on 12th February 2002. Talentsoft has created a patch for this issue and NGSSoftware advises all Web+ customers to apply this as soon as is possible. Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for more details. A check for this issue has been added to Typhon II, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
