| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Apr 2004 15:10:01 +0200 From: "Dennis Rand" <dra@...tego.dk> To: <news@...uriteam.com>, <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com> Subject: Buffer Overflow in HAHTsite Scenario Server 5.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PROTEGO Security Advisory #PSA200405 Topic: Buffer Overflow in HAHTsite Scenario Server 5.1 Platform: Windows, Solaris and Linux Application: HAHTsite Scenario Server 5.1, Patch 1 to 6 Author: Dennis Rand (dra at protego.dk) Advisory URL: http://www.protego.dk/advisories/20045.html Vendor Name: HAHT Commerce Vendor URL: http://www.haht.com Vendor contacted: 12. Nov. 2003 Public release: 2. Apr. 2004 Explanation: The HAHTsiteR Scenario Server is a highly flexible, standards-based e-business server that offers essential platform features such as scalability, high availability, security and extensibility. The Scenario Server also offers essential integration features that provide a powerful framework for your demand chain management environment. Problem: The HAHTsite Scenario Server does not perform proper bounds check on requests passed to the application. This results in a buffer overflow condition, when a large specially crafted request is sent to the server. Details: The issue can be triggered by requesting: http://[hostname]/[cgialias]/hsrun.exe/[ServerGroupName]/[ServerGroupNam e]/[VeryLongProjectName].htx;start=[PageName] This bug affects both background processes (regular server groups), and control processes (the administrative server group). The following error will appear in the event viewer when this vulnerablity is exploited: - ------------------------------------------------------------------ Event Type: Error Event Source: HAHTsite 5.1 Controller Event Category: None Event ID: 1032 Description: Unexpected termination of server hsadmsrv with PID=xxxx: Exit Reason: Unknown Reason - ------------------------------------------------------------------ Impact: A request like the above will overrun the allocated buffer and overwrite EIP (Instruction Pointer), which leads to a service restart and the possibility of remote code execution, giving an attacker the opportunity to run commands on the server with permission of NT AUTHORITY\SYSTEM. PROTEGO has developed af Proof of Concept exploit that will make the server return a command prompt with SYSTEM privileges, to an attacker. Corrective actions: This security vulnerability can be corrected by applying the server fix [20030010] from www.haht.com/kb For Windows: ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_over run_fix.zip For Solaris: Contact HAHT Technical Support at support@...t.com. For Linux: Contact HAHT Technical Support at support@...t.com. Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are NO warranties with regard to this information. In no event shall PROTEGO be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information. Any use of this information lies within the user's responsibility. All registered and unregistered trademarks represented in this document are the sole property of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQG1mILlyfqEDqHg2EQJGqQCdFpUQ55mXXmKM2AHq7nH5OHA/QLQAn3jD SusrDhhssjTdsgJOr7fZFTd6 =iTDN -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists