Vulnerability

    WebBBS

Affected

    WebBBS v1.17

Description

    Following  is  based  on  Delphis  Consulting  Plc  Security  Team
    Advisories.  WebBBS fixed a  number of bugs which were  referenced
    in

        webbbs1.html

    however on release of  the new version (19/06/2000)  DCIST audited
    the new version and indeed the issues they released were resolved.
    However  DCIST  discovered  the  following  new vulnerabilities in
    WebBBS under Windows NT.

    By using  a overly  long string  on the  search file system option
    page it  is possible  to cause  a Denial  of Service.   The reason
    this is  a Denial  of Service  rather than  a BufferOverrun (which
    indeed it  does cause)  is that  the EIP  is seemingly random when
    overwrriten (i.e. not byte perfect).

    By  using  the  New  user  sign  up  form shipped and installed as
    standard by WebBBS is possible to cause a BufferOverRun in WebBBS.
    This is done be connecting  to port 80 (WebBBS) which  the service
    resides on by  default and  sending a username.  The username  has
    to be a length of 892 + EIP (4 bytes making a total of 896 bytes).
    This  will  cause  the  above  application  to  BufferOverRun over
    writing EIP.   This would allow  an attacker to  execute arbitrary
    code.

Solution

    Currently there is no vendor patch available but the following are
    preventative measures  Delphis Consulting  Internet Security  Team
    would advise users running this service to implement.

        o Remove new user sign up
        o Remove filesystem search

    This will be dealt with once  a code audit have been completed  to
    erase any other  areas we have  not highlighted to  them which may
    also be effected.