lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000001c418b3$cedab9b0$2664a8c0@pcdra>
From: dra at protego.dk (Dennis Rand)
Subject: Buffer Overflow in HAHTsite Scenario Server 5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PROTEGO Security Advisory #PSA200405
Topic: Buffer Overflow in HAHTsite Scenario Server 5.1 
Platform: Windows, Solaris and Linux
Application: HAHTsite Scenario Server 5.1, Patch 1 to 6
Author: Dennis Rand (dra at protego.dk)
Advisory URL: http://www.protego.dk/advisories/20045.html
Vendor Name: HAHT Commerce
Vendor URL: http://www.haht.com
Vendor contacted: 12. Nov. 2003
Public release: 2. Apr. 2004

Explanation:
The HAHTsiteR Scenario Server is a highly flexible, standards-based
e-business server that offers essential platform features such as
scalability, high availability, security and extensibility. The Scenario
Server also offers essential integration features that provide a
powerful framework for your demand chain management environment. 

Problem:
The HAHTsite Scenario Server does not perform proper bounds check on
requests passed to the application. This results in a buffer overflow
condition, when a large specially crafted request is sent to the server.

Details:
The issue can be triggered by requesting:
http://[hostname]/[cgialias]/hsrun.exe/[ServerGroupName]/[ServerGroupNam
e]/[VeryLongProjectName].htx;start=[PageName]

This bug affects both background processes (regular server groups), and
control processes (the administrative server group). 

The following error will appear in the event viewer when this
vulnerablity is exploited:

- ------------------------------------------------------------------
Event Type: Error 
Event Source: HAHTsite 5.1 Controller 
Event Category: None 
Event ID: 1032 
Description: 
Unexpected termination of server hsadmsrv with PID=xxxx: Exit Reason:
Unknown Reason 
- ------------------------------------------------------------------ 

Impact:
A request like the above will overrun the allocated buffer and overwrite
EIP (Instruction Pointer), which leads to a service restart and the
possibility of remote code execution, giving an attacker the opportunity
to run commands on the server with permission of NT AUTHORITY\SYSTEM. 

PROTEGO has developed af Proof of Concept exploit that will make the
server return a command prompt with SYSTEM privileges, to an attacker.

Corrective actions:
This security vulnerability can be corrected by applying the server fix
[20030010] from www.haht.com/kb

For Windows:
ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_over
run_fix.zip

For Solaris:
Contact HAHT Technical Support at support@...t.com. 

For Linux:
Contact HAHT Technical Support at support@...t.com.

Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an "AS IS" condition.
There are NO warranties with regard to this information. In no event
shall PROTEGO be liable for any consequences or damages, including
direct, indirect, incidental, consequential, loss of business profits or
special damages, arising out of or in connection with the use or spread
of this information. Any use of this information lies within the user's
responsibility. All registered and unregistered trademarks represented
in this document are the sole property of their respective owners. 


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQG1mILlyfqEDqHg2EQJGqQCdFpUQ55mXXmKM2AHq7nH5OHA/QLQAn3jD
SusrDhhssjTdsgJOr7fZFTd6
=iTDN
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ