Netwin Webnews.exe

February 18th, 2002

NGSSoftware Insight Security Research Advisory

Name:    Netwin Webnews.exe

Systems Affected:  IIS4 & IIS5 on Windows NT/2000

Severity:  High Risk

Vendor URL:   http://www.netwinsite.com

Author:   Mark Litchfield (mark@ngssoftware.com)

Date:   18th February 2002

Advisory number: #NISR18022002

Advisory URL: http://www.nextgenss.com/advisories/netwinnews.txt

Issue

*****

Netwin’s WebNews contains a remotely exploitable buffer overrun that allows

the execution of arbitrary code.

Description

***********

WebNEWS is a server side application (cgi) which provides users with web

based access to Internet News Groups. It is compatible with any standard

NNTP (Network News) server system. WebNews allows news groups to be

displayed, accessed and searched via a web-based interface. WebNews may be

used to provide a web based news service, similar to the popular Deja News

Services. Providing Web access to news gives users access to their news from

anywhere on the net. All they need is a web browser.

Details

*******

Webnews.exe is the main executable that provides the program’s

functionality.  The buffer overflow problem manifests itself when an overly

long string (c. 1500 bytes) is supplied in the group parameter of the query

string when the server receives a vaild “utoken”. The “utoken” is the user

token supplied by the server for a given session.

In terms of an attack, any code executed will run in the security context of

the low privileged account used by IIS to service such requests so won’t

have full control over the system. That said, it is imperative that this be

addressed as it allows an attacker greater access to the vulnerable system

and other machines behind the firewall on the same DMZ.

Fix Information

***************

NGSSoftware alerted Netwin to these problems on the 11th of February who

responded quickly with a patch. This patch was made available on the 14th

February 2002, and can be downloaded from

ftp://netwinsite.com/pub/webnews/beta/

A check for this issue has been added to Typhon II, of which more

information is available from the NGSSoftware website,

http://www.ngssoftware.com.

Further Information

*******************

For further information about the scope and effects of buffer overflows,

please see

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls