mailing list archives
Buffer Overrun in Talentsoft's Web+ (#NISR01032002A)
From: "David Litchfield" <nisr () nextgenss com>
Date: Tue, 5 Mar 2002 17:55:06 -0000
NGSSoftware Insight Security Research Advisory
Name: Web+ Buffer Overflow
Systems Affected: IIS4/5 on Windows NT/2000
Severity: High Risk
Category: Buffer Overrun / Privilage Escalation
Vendor URL: http://www.talentsoft.com
Author: Mark Litchfield (mark () ngssoftware com)
Date: 1st March 2002
Advisory number: #NISR05032002A
Issue: Attackers can exploit a buffer overrun
to execute arbitrary code as SYSTEM.
Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.
During installation webplus.exe is copied into the cgi-bin or scripts
directory and is utilised by many of TalentSoft's products such as Web+
Shop, Web+ Mall and Web+ Enterprise. By supply an overly long character
string to webplus.exe which is then passed to a system service -
webpsvc.exe. It is this service that overflows, overwriting the saved
address on the stack. Because Webpsvc by default is started as a system
service, any arbitrary code executed on the server would run in the
security context of the SYSTEM account.
NGSSoftware alerted TalentSoft to these problems on 12th February 2002.
Talentsoft has created a patch for this issue and NGSSoftware advises
all Web+ customers to apply this as soon as is possible.
Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for
A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.
For further information about the scope and effects of buffer overflows,
- Buffer Overrun in Talentsoft's Web+ (#NISR01032002A) David Litchfield (Mar 05)