Home page logo

bugtraq logo Bugtraq mailing list archives

Buffer Overrun in Talentsoft's Web+ (#NISR01032002A)
From: "David Litchfield" <nisr () nextgenss com>
Date: Tue, 5 Mar 2002 17:55:06 -0000

NGSSoftware Insight Security Research Advisory

Name:                   Web+ Buffer Overflow
Systems Affected:       IIS4/5 on Windows NT/2000
Severity:                       High Risk
Category:               Buffer Overrun / Privilage Escalation
Vendor URL:             http://www.talentsoft.com
Author:                 Mark Litchfield (mark () ngssoftware com)
Date:                           1st March 2002
Advisory number:                #NISR05032002A

Issue:                  Attackers can exploit a buffer overrun
                                to execute arbitrary code as SYSTEM.

Talentsoft's Web+ v5.0 is a powerful and comprehensive development
environment for use in creating web-based client/server applications.

During installation webplus.exe is copied into the cgi-bin or scripts
directory and is utilised by many of TalentSoft's products such as Web+
Shop, Web+ Mall and Web+ Enterprise.  By supply an overly long character
string to webplus.exe which is then passed to a system service -
webpsvc.exe. It is this service that overflows, overwriting the saved
address on the stack.  Because Webpsvc by default is started as a system
service, any arbitrary code executed on the server would run in the
security context of the SYSTEM account.

Fix Information
NGSSoftware alerted TalentSoft to these problems on 12th February 2002.
Talentsoft has created a patch for this issue and NGSSoftware advises
all Web+ customers to apply this as soon as is possible.

Please see http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943 for
more details.

A check for this issue has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information

For further information about the scope and effects of buffer overflows,
please see


  By Date           By Thread  

Current thread:
  • Buffer Overrun in Talentsoft's Web+ (#NISR01032002A) David Litchfield (Mar 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]