TUCoPS :: Web :: Adminware, Control Panels :: web5285.htm

Webtrends Reporting Center buffer overflow leading to arbitrary code execution
19th Apr 2002 [SBWID-5285]
COMMAND

	Webtrends Reporting Center buffer overflow  leading  to  arbitrary  code
	execution

SYSTEMS AFFECTED

	WebTrends Reporting Center 4.0d

PROBLEM

	In  NGSSoftware  Insight  Security  Research   Advisory   #NISR17042002C
	[http://www.ngssoftware.com/] :
	

	 Description

	 ===========

	

	WebTrends Reporting Center provides fast and comprehensive  analysis  of
	web  site   activity   to   multiple   decision-makers   throughout   an
	organization via a browser-based interface. WebTrends  Reporting  Center
	is, according to their own  website,  NetIQ\'s  flagship  web  analytics
	reporting product, recently receiving an  Editor\'s  Choice  Award  from
	Network Computing Magazine  (Feb 6, 2002).
	

	 Details

	 =======

	

	Buffer Overrun
	

	In order for an attacker to exploit  this  vulnerability  requires  they
	must first undergo user authentication at
	

	http://targetmachine:1099(default listening port)/remote_login.pl

	

	However, Webtrends Reporting Server allows anonymous logins for  reports
	that are made available for public viewing. After  a  successful  login,
	making a GET request to
	

	http://targetmachine:1099/reports/(Long Char String)

	

	will cause an access violation occurs  in  WTRS_UI.EXE  (WTX_REMOTE.DLL)
	overwriting the saved return address on the stack. The Reporting  Server
	process, WTRS_UI.EXE, is by default started as a  system  service  along
	with WTRS.EXE, therefore any arbitary code  would  execute  with  system
	privileges.
	

	Path Disclosure
	

	By making a simple GET request for
	

	http://targetmachine/get_od_toc.pl?Profile=

	

	(no authentication required) an error message is returned
	

	Unable to open content file path=C:/PROGRA~1/WEBTRE~1/wtm_wtx/

	

SOLUTION

	 Fix Information

	 ===============

	

	NGSSoftware alerted Webtrends to the buffer overrun issue on 31st  March
	2002 and future versions will be fixed. There is still some question  as
	to whether a patch  will  be  produced  for  earlier  versions.  In  the
	meantime  NGSSoftware  recommend  preventing  anonymous  access  to  the
	Reports server. NGSSoftware recommend that where possible,  the  service
	be run as a low privileged account  as  opposed  to  starting  it  as  a
	system service.
	

	A check for these issues have been added to  Typhon  II,  NGSSoftware\'s
	vulnerability  assessment  scanner,  of  which   more   information   is
	available from the NGSSite : http://www.ngssoftware.com/.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH