TUCoPS :: Web :: General :: web5292.htm

Talentsoft's Web+ remote buffer overflow via cookie
19th Apr 2002 [SBWID-5292]

	Talentsoft\'s Web+ remote buffer overflow via cookie


	Talentsoft\'s Web+ v5.0


	In  David   Litchfield   of   NGSSoftware   [http://www.ngssoftware.com]
	advisory [#NISR17042002B] :

	By requesting a WML file from a web server and supplying an overly  long
	cookie, an internal buffer is overflowed,  overwriting  a  saved  return
	address on the stack. On procedure return control over  the  web  server
	process\' execution can be gained. If the server is running  IIS  4  and
	using the Web+ ISAPI filter, then inetinfo.exe is the process  captured.
	As this runs as SYSTEM, any  code  supplied  by  an  attacker  will  run
	uninhibited. If IIS 5.0 then the process is dllhost.exe  which  runs  in
	the context of the IWAM_* account. As this has  limited  privileges  the
	risk is reduced. If the Web+ environment is set  up  using  the  webplus
	CGI executable, webplus.exe, on either server, then, again, the risk  is


	Talentsoft have created a patch for this problem, see



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH