============================================================================
====
               Delphis Consulting Plc
============================================================================
====

                    Security Team Advisories
                  [19/06/2000]


           securityteam@delphisplc.com
      [http://www.delphisplc.com/thinking/whitepapers/]
  
============================================================================
====
Adv  :   DST2K0018
Title  :  Multiple BufferOverruns in WebBBS HTTP Server v1.15
Author  :  DCIST (securityteam@delphisplc.com)
O/S  :  Microsoft Windows NT v4.0 Workstation (SP6)
Product  :  WebBBS v1.15
Date  :  19/06/2000

I.    Description

II.   Solution

III.  Disclaimer


============================================================================
====


I. Description
============================================================================
====

Vendor URL: http://www.webbbs.org/

Delphis Consulting Internet Security Team (DCIST) discovered the following
vulnerabilities in WebBBS under Windows NT.

Severity: high

By using the Webserver which is shipped and installed by default with WebBBS
it
is possible to cause a BufferOverRun in WebBBS. This is done be connecting
to port 80 (WebBBS) which the service resides on by  default and sending a
large
filename. The string has to be a length of 227 + EIP (4 bytes making a total
of
231 bytes). This will cause the above application to BufferOverRun over
writing
EIP. This would allow an attacker to execute arbitrary code.


Severity: high

By using the Webserver which is shipped and installed by default with WebBBS
it
is possible to cause a BufferOverRun in WebBBS. This is done be connecting
to port 80 (WebBBS) which the service resides on by  default and sending a
large
get statements (the Logon screen is a good example). The string has to be a
length of 545 + EIP (4 bytes making a total of 549 bytes). This will cause
the
above application to BufferOverRun over writing EIP. This would allow an
attacker
to execute arbitrary code.


II. Solution
============================================================================
====

Vendor Status: Informed

We would like to thank WebBBS for their very quick response, these have been
resolved
in v1.17 which is due for release soon.

III. Disclaimer
============================================================================
====
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
============================================================================
====