Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Infoseek Ultraseek Remote Buffer Overflow
From: Marc () EEYE COM (Marc)
Date: Thu, 16 Dec 1999 13:07:27 -0800

Something we failed to mention, which is rather important, is that only the
NT version of Ultraseek is affected.

eEye Digital Security Team

| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
| luciano
| Sent: Thursday, December 16, 1999 12:49 AM
| Subject: Infoseek Ultraseek Remote Buffer Overflow
| USSR & eEye DS Present:
| Infoseek Ultraseek 3.1 Remote Buffer Overflow
| USSR Advisory Code:    20
| eEye DS Advisory Code: AD19991215
| Release Date:
| December 15, 1999
| Systems Affected:
| Infoseek Ultraseek 2.1 to 3.1 and possibly others.
| The Opener:
| T1 Internet Connection:             $1,000/month
| Dell PowerEdge 4350 Server:         $4,307
| 10k Doc. license for Ultraseek 3.1: $4,995
| Brand new office in silicon valley: $10,000/month
| The look on your CEO's face when you get hacked: Priceless.
| About The Software:
| Ultraseek is Infoseek Corporation's search engine software. The power and
| flexibility of Ultraseek allow it to be used by a variety of business's.
| >From the small mom and pop shops to companies even as large as Infoseek
| themselves. You've heard of go.com by now, haven't you?
| Description:
| This advisory, although a rather nasty one, will be pretty small.
| We are not
| going to get into the mechanics of buffer overflows since the subject has
| been talked about a lot. If you would like to learn more about what a
| buffer overflow is we suggest the following links:
| http://www.l0pht.com/advisories/bufero.html
| http://arden.iss.net/~msells/docs/smashstack.txt
| http://www.cultdeadcow.com/cDc_files/cDc-351/
| http://www.beavuh.org/dox/win32_oflow.txt
| By default the Ultraseek search engine listens on port 8765 and provides a
| HTTP interface to allow internet/intranet users to search a server for
| documents pertaining to their search keywords.
| To identify a vulnerable server you would do the following:
| C:\>telnet www.example.com 8765
| send-> HEAD / HTTP/1.0
| recv-> HTTP/1.0 200 OK
| recv-> Server: Ultraseek/3.1 Python/1.5.1
| recv-> Date: Thu, XX Dec 1999 23:59:42 GMT
| recv-> Content-type: text/html
| recv-> Content-length: 0
| Ultraseek 3.1 is the current version of Ultraseek as of the
| writing of this
| advisory. We have tested versions as old as 2.1. So while we are not
| positive, we are pretty sure every version of Ultraseek prior to 3.1 is
| vulnerable.
| The overflow occurs in the HTTP Get command. To DoS (Denial of
| Service) the
| server you would do  the following:
| C:\>telnet www.example.com 8765
| GET /[overflow]/ HTTP/1.0
| <enter>
| <enter>
| At this point one of the two pyseekd.exe (Ultraseek Server Process) will
| drop and reinitialize. Since it is a service you will never get an on
| screen memory error. Also you will not even really notice the process drop
| and reload but if you look closely when you DoS the server one of the two
| pyseekd.exe process's will now have a new PID.
| This is just like any typical buffer overflow and it is exploitable. To
| download a proof of concept exploit, go to:
| http://www.ussrback.com/
| http://www.eeye.com/
| Note: The example will just create a file called ussreeye.txt in whatever
| the current root is. This exploit has only been tested against
| Ultraseek 2.1
| for NT Service Pack 5 and NT Service Pack 6. Please do not send us eMail
| saying you could not get it to work or things of that nature. If you can't
| fix it yourself then most likely you do not need to be using it
| in the first
| place.
| What gets logged you ask?
| Well in the application event log you will see a Warning with the
| following
| information: "Ultraseek Server: Warning: restarted 3.1.4".
| In the Ultraseek http access logs (C:\Program
| Files\Infoseek\UltraseekServer\data\logs) nothing gets logged.
| So when all is said and done unless you have a router log to
| match the event
| log time with... your left with no way of knowing who did the dirty deed.
| Once again a web service, just like IIS, fails to log a command before it
| processes. Any service that takes commands needs to log the command first
| and then process it. That way unless there is an overflow in the logging
| process we will always know what IP performed the attack.
| This advisory was made possible by a joint effort of USSR (Underground
| Security Systems Research) and eEye Digital Security.
| Do you do the w00w00?
| This advisory also acts as part of w00giving. This is another contribution
| to w00giving for all you w00nderful people out there. You do know what
| w00giving is don't you? http://www.w00w00.org/advisories.html
| Vendor Status:
| We would like to thank Infoseek for the wonderful way they handled this
| advisory. The process went rather perfect, if there is such a thing in the
| security world.
| Fix:
| http://software.infoseek.com/products/ultraseek/upgrade_nt.htm
| ftp://ftp.infoseek.com/pub/software/ultraseek-3.1.5.exe
| Related Links:
| eEye Digital Security
| http://www.eEye.ccom
| Retina - The Network Security Scanner
| http://www.eEye.com/retina/
| Underground Security Systems Research
| http://www.ussrback.com
| CrunchSp
| http://www.ussrback.com/products.html
| Greetings:
| Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
| Wiretrip.
| Copyright (c) 1998-1999 eEye Digital Security
| Permission is hereby granted for the redistribution of this alert
| electronically. It is not to  be edited in any way without express consent
| of eEye. If you wish to reprint the whole or any  part of this
| alert in any
| other medium excluding electronic medium, please e-mail
| alert () eEye com for
| permission.
| Disclaimer
| The information within this paper may change without notice. Use of this
| information  constitutes acceptance for use in an AS IS
| condition. There are
| NO warranties with regard to  this information. In no event shall
| the author
| be liable for any damages whatsoever arising out  of or in connection with
| the use or spread of this information. Any use of this information is  at
| the user's own risk.
| Feedback
| Please send suggestions, updates, and comments to:
| eEye Digital Security
| mail:info () eEye com
| http://www.eEye.com
| USSR Labs
| mail:labs () ussrback com
| http://www.ussrback.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]