DST2K0019.txt

`============================================================================  
Delphis Consulting Plc  
============================================================================  
  
Security Team Advisories  
[30/06/2000]  
  
[email protected]  
[http://www.delphisplc.com/thinking/whitepapers/]  
  
============================================================================  
Adv : DST2K0019  
Title : Multiple BufferOverruns in WebBBS v1.17  
Author : DCIST ([email protected])  
O/S : Microsoft Windows NT v4.0 Workstation (SP5)  
Product : WebBBS v1.17  
Date : 30/06/2000  
  
I. Description  
  
II. Solution  
  
III. Disclaimer  
  
  
============================================================================  
  
I. Description  
============================================================================  
  
Vendor URL: http://www.webbbs.org/  
  
WebBBS fixed a number of bugs which were referenced in DST2K0018, however  
on release of the new version (19/06/2000) DCIST audited the new version  
and indeed the issues we released were resolved. How ever Delphis Consulting  
  
Internet Security Team (DCIST) discovered the following new vulnerabilities  
in WebBBS under Windows NT.  
  
Severity: med  
  
By using a overly long string on the search file system option page it is  
possible to cause a Denial of Service. The reason this is a Denial of  
Service  
rather than a BufferOverrun (which indeed it does cause) is that the EIP is  
seemingly random when overwrriten (i.e. not byte perfect).  
  
Severity: high  
  
By using the New user sign up form shipped and installed as standard by  
WebBBS is possible to cause a BufferOverRun in WebBBS. This is done be  
connecting to port 80 (WebBBS) which the service resides on by default and  
sending a username. The username has to be a length of 892 + EIP (4 bytes  
making a total of 896 bytes). This will cause the above application to  
BufferOverRun over writing EIP. This would allow an attacker to execute  
arbitrary code.  
  
  
II. Solution  
============================================================================  
  
Vendor Status: Informed  
  
Currently there is no vendor patch available but the following are  
preventative  
measures Delphis Consulting Internet Security Team would advise  
users running this service to implement.  
  
o Remove new user sign up  
o Remove filesystem search  
  
We have had e-mail confirmation for the WebBBS support team that this  
will be dealt with once a code audit have been completed to erase any  
other areas we have not highlighted to them which may also be effected.  
  
III. Disclaimer  
============================================================================  
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR  
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE  
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR  
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE  
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.  
============================================================================  
  
`