NGSSoftware Insight Security Research Advisory #NISR2406-03 - WebAdmin.exe, a utility that allows remote administrators to control MDaemon, RelayFax, and WorldClient, has a remotely exploitable buffer overrun in the USER parameter that would allow a remote attacker to execute arbitrary code on the server.
6792c533a2cd9f5fcacddb71b75e2176618d3457d31728ba0246ae3dfa98eb02
NGSSoftware Insight Security Research Advisory
Name: Remote System Buffer Overrun WebAdmin.exe
Systems Affected: Windows
Severity: High Risk
Category: Buffer Overrun
Vendor URL: http://www.altn.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 24th June 2003
Advisory number: #NISR2406-03
Description
***********
WebAdmin allows administrators to securely manage MDaemon, RelayFax, and
WorldClient from anywhere in the world
Details
*******
There is a remotely exploitable buffer overrun in the USER parameter.
By default the webadmin.exe process is started as a system service. Any
code being passed to the server by an attacker as a result of this buffer
overrun would therefore (based on a default install) execute with system
privileges.
POST /WebAdmin.dll?View=Logon HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Referer: http://ngssoftware.com:1000/
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: MyUser Agent
Host: NGSSoftware.com
Content-Length: 74
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: User=NGSSOFTWARE; Lang=en; Theme=Standard
User=LONGSTRING&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In
Fix Information
***************
NGSSoftware alerted ALTN to theses issues on the 19th of June 2003.
A patch has now been made available from
ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe
A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf