NGSSoftware Insight Security Research Advisory

Name:                          WiTango Application Server & Tango 2000
Systems Affected:         Windows
Severity:                       Critical Risk
Category:                      Remote System Buffer Overrun
Vendor URL:                http://www.witango.com
Author:                         Mark Litchfield (mark@ngssoftware.com)
Date:                            18th July 2003
Advisory number:         #NISR18072003


Description
***********

As detailed on http://www.witango.com - Witango can provide your Web
Application with a solid application framework, a simple interface for both
the production and ongoing maintenance of complex application logic, a
variety of mechanisms to integrate to non-web interfaces, and a wide range
of database connectivity options. The Witango product suite provides a
comprehensive Integrated Development Environment (IDE) to enable application
developers to rapidly generate XML files which can then be deployed to a
wide range of operating systems.  Witango is a fast to learn, easy to use,
scalable solution for the Professional Web Application Developer.

Details
*******

By passing a long cookie to Witango_UserReference we overwrite the saved
return address on the stack.  As Witango is installed as LocalSystem, any
arbitrary code execution will run as SYSTEM

GET /ngssoftware.tml HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, */*
Accept-Language: en-gb
User-Agent: My Browser
Host: ngssoftware.com
Connection: Keep-Alive
Cookie: Witango_UserReference= parameter length 2864

I have been asked by Phil Wade of Witango to mention the following: "We also
did some tests on older versions of the server and found the vulnerability
also exists in the previous version of the server which was known as Tango
2000.  Can you also mention that Tango 2000 is also vulnerable and should be
upgraded to Witango 5.0.1.062 especially if the Tango 2000 server is
accessible from the internet"

Fix Information
***************

NGSSoftware alerted Witango to this issue on 13th July 2003.  I would like
to mention, that Witango acted very quickly in producing a patch helping to
ensure that their clients are protected.  Please visit
http://www.witango.com to download the latest build.

A check for this issue has been added to Typhon, a comprehensive automated
vulnerability assessment tool of which more information is available from
the
NGSSite http://www.ngssoftware.com

About NGSSoftware
*****************

NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners.  Based in the United Kingdom, NGSSoftware have
offices in London, and St Andrews Scotland.  NGSSoftware's sister company
NGSConsulting, offers best of breed security consulting services,
specialising in application, host and network security assessments.

http://www.ngssoftware.com
http://www.ngsconsulting.com

Telephone: +44 208 40 100 70
Fax: +44 208 401 0076