USSR & eEye DS Present:

Infoseek Ultraseek 3.1 Remote Buffer Overflow

USSR Advisory Code:    20
eEye DS Advisory Code: AD19991215

Release Date:
December 15, 1999

Systems Affected:
Infoseek Ultraseek 2.1 to 3.1 and possibly others.

The Opener:
T1 Internet Connection:             $1,000/month
Dell PowerEdge 4350 Server:         $4,307
10k Doc. license for Ultraseek 3.1: $4,995
Brand new office in silicon valley: $10,000/month

The look on your CEO's face when you get hacked: Priceless.

About The Software:
Ultraseek is Infoseek Corporation's search engine software. The power and
flexibility of Ultraseek allow it to be used by a variety of business's.
>From the small mom and pop shops to companies even as large as Infoseek
themselves. You've heard of go.com by now, haven't you?

Description:

This advisory, although a rather nasty one, will be pretty small. We are not
going to get into the mechanics of buffer overflows since the subject has
been talked about a lot. If you would like to learn more about what a
buffer overflow is we suggest the following links:
http://www.l0pht.com/advisories/bufero.html
http://arden.iss.net/~msells/docs/smashstack.txt
http://www.cultdeadcow.com/cDc_files/cDc-351/
http://www.beavuh.org/dox/win32_oflow.txt

By default the Ultraseek search engine listens on port 8765 and provides a
HTTP interface to allow internet/intranet users to search a server for
documents pertaining to their search keywords.

To identify a vulnerable server you would do the following:
C:\>telnet www.example.com 8765
send-> HEAD / HTTP/1.0

recv-> HTTP/1.0 200 OK
recv-> Server: Ultraseek/3.1 Python/1.5.1
recv-> Date: Thu, XX Dec 1999 23:59:42 GMT
recv-> Content-type: text/html
recv-> Content-length: 0

Ultraseek 3.1 is the current version of Ultraseek as of the writing of this
advisory. We have tested versions as old as 2.1. So while we are not
positive, we are pretty sure every version of Ultraseek prior to 3.1 is
vulnerable.

The overflow occurs in the HTTP Get command. To DoS (Denial of Service) the
server you would do  the following:
C:\>telnet www.example.com 8765
GET /[overflow]/ HTTP/1.0
<enter>
<enter>

At this point one of the two pyseekd.exe (Ultraseek Server Process) will
drop and reinitialize. Since it is a service you will never get an on
screen memory error. Also you will not even really notice the process drop
and reload but if you look closely when you DoS the server one of the two
pyseekd.exe process's will now have a new PID.

This is just like any typical buffer overflow and it is exploitable. To
download a proof of concept exploit, go to:
http://www.ussrback.com/
http://www.eeye.com/
Note: The example will just create a file called ussreeye.txt in whatever
the current root is. This exploit has only been tested against Ultraseek 2.1
for NT Service Pack 5 and NT Service Pack 6. Please do not send us eMail
saying you could not get it to work or things of that nature. If you can't
fix it yourself then most likely you do not need to be using it in the first
place.

What gets logged you ask?
Well in the application event log you will see a Warning with the following
information: "Ultraseek Server: Warning: restarted 3.1.4".
In the Ultraseek http access logs (C:\Program
Files\Infoseek\UltraseekServer\data\logs) nothing gets logged.
So when all is said and done unless you have a router log to match the event
log time with... your left with no way of knowing who did the dirty deed.

Once again a web service, just like IIS, fails to log a command before it
processes. Any service that takes commands needs to log the command first
and then process it. That way unless there is an overflow in the logging
process we will always know what IP performed the attack.

This advisory was made possible by a joint effort of USSR (Underground
Security Systems Research) and eEye Digital Security.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Vendor Status:
We would like to thank Infoseek for the wonderful way they handled this
advisory. The process went rather perfect, if there is such a thing in the
security world.

Fix:
http://software.infoseek.com/products/ultraseek/upgrade_nt.htm
ftp://ftp.infoseek.com/pub/software/ultraseek-3.1.5.exe

Related Links:

eEye Digital Security
http://www.eEye.ccom

Retina - The Network Security Scanner
http://www.eEye.com/retina/

Underground Security Systems Research
http://www.ussrback.com

CrunchSp
http://www.ussrback.com/products.html

Greetings:
Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
Wiretrip.

Copyright (c) 1998-1999 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to  be edited in any way without express consent
of eEye. If you wish to reprint the whole or any  part of this alert in any
other medium excluding electronic medium, please e-mail  alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information  constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to  this information. In no event shall the author
be liable for any damages whatsoever arising out  of or in connection with
the use or spread of this information. Any use of this information is  at
the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
mail:info@eEye.com
http://www.eEye.com

USSR Labs
mail:labs@ussrback.com
http://www.ussrback.com