Cerberus Information Security Advisory (CISADV000717) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 17th July 2000 Name : Website Pro GET buffer overflow Affected Systems : Windows NT running Website Pro 2.4 Issue : Remote attackers can execute arbitrary code Author : David Litchfield (mnemonix@globalnet.co.uk) Description *********** The Cerberus Security Team has discovered a buffer overflow in O'Reilly's Website Pro 2.4. This overflow can be exploited by an attacker to execute arbitrary code. Details ******* There are many ways to cause this overflow - for example with an overly long "GET" request or overly long "Referer" client header. The saved return address is overwritten gaining control of the httpd32.exe process. By overwriting the return address with an address in memory that contains the "call ebx" or jmp ebx" it is possible to land back in the user supplied buffer where exploit code would be placed. Vendor Status ************* O'Reilly were informed of this on 23rd of June 2000, and the issue has been fixed in the 2.5 release available at http://software.oreilly.com/support/software/wsp2x_updates.cfm. Solution ******** Download and upgrade to release 2.5. About Cerberus Information Security, Ltd ***************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 70 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0)208 395 4980. Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd